From owner-freebsd-security  Mon Jun 24 19:24:35 2002
Delivered-To: freebsd-security@freebsd.org
Received: from cvs.openbsd.org (cvs.openbsd.org [199.185.137.3])
	by hub.freebsd.org (Postfix) with ESMTP id 8A85737B41C
	for <security@FreeBSD.ORG>; Mon, 24 Jun 2002 19:24:18 -0700 (PDT)
Received: from cvs.openbsd.org (deraadt@localhost [127.0.0.1])
	by cvs.openbsd.org (8.12.4/8.12.1) with ESMTP id g5P2P1LI012658;
	Mon, 24 Jun 2002 20:25:01 -0600 (MDT)
Message-Id: <200206250225.g5P2P1LI012658@cvs.openbsd.org>
To: Brian Nelson <notgod@notgod.com>
Cc: Jason Stone <jason-fbsd-security@shalott.net>,
	FreeBSD Security <security@FreeBSD.ORG>
Subject: Re: [openssh-unix-announce] Re: Upcoming OpenSSH vulnerability 
In-reply-to: Your message of "Mon, 24 Jun 2002 19:21:50 PDT."
             <3D17D3BE.8010803@notgod.com> 
Date: Mon, 24 Jun 2002 20:25:01 -0600
From: Theo de Raadt <deraadt@cvs.openbsd.org>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

Do not let this man drive.

> From: Brian Nelson <notgod@notgod.com>
> User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.0.0) Gecko/20020606
> X-Accept-Language: en-us, en
> MIME-Version: 1.0
> To: Theo de Raadt <deraadt@cvs.openbsd.org>
> CC: Jason Stone <jason-fbsd-security@shalott.net>,
>    FreeBSD Security
>  <security@FreeBSD.ORG>
> Subject: Re: [openssh-unix-announce] Re: Upcoming OpenSSH vulnerability 
> References: <200206250156.g5P1upLJ029822@cvs.openbsd.org>
> Content-Type: text/plain; charset=us-ascii; format=flowed
> Content-Transfer-Encoding: 7bit
> X-Spam-Level: 
> 
> Theo de Raadt wrote:
> 
> > Jason is begging that I release a patch tomorrow.  What do you the
> > rest of you think?  Do you wish to be immunized first or should we
> > just post a patch, and have a public exploit a day later?
> 
> Just tossing an idea out (that I am sure a great number of you will not 
> like)...
> 
> How about working with the OS security officer (and whoever else) to 
> release a binary SSHD (PGP/GPG signed by the SA's of the OS's), but not 
> have the patches committed into public view (CVS, etc) until you feel 
> it's the rigt time to release the specifics...  I would think this would 
> minimize exposure while allowing people to secure their machines...
> 
> Of course, this assumes that you (and other people) trust the SO's not 
> to use and/or publish the information without your permission...  maybe 
> copywriting the source (like the OpenBSD iso) and then you can manage 
> the permissions on the source patch...  and release the rights on the 
> patch when the moon aligns with Orion's belt....
> 
>    -Brian
> 


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message