Date: Mon, 24 Jun 2002 22:28:32 -0400 (EDT) From: Robert Watson <rwatson@FreeBSD.ORG> To: Brian Nelson <notgod@notgod.com> Cc: Theo de Raadt <deraadt@cvs.openbsd.org>, Jason Stone <jason-fbsd-security@shalott.net>, FreeBSD Security <security@FreeBSD.ORG> Subject: Re: [openssh-unix-announce] Re: Upcoming OpenSSH vulnerability Message-ID: <Pine.NEB.3.96L.1020624222533.43916H-100000@fledge.watson.org> In-Reply-To: <3D17D3BE.8010803@notgod.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 24 Jun 2002, Brian Nelson wrote:
> Theo de Raadt wrote:
>
> > Jason is begging that I release a patch tomorrow. What do you the
> > rest of you think? Do you wish to be immunized first or should we
> > just post a patch, and have a public exploit a day later?
>
> Just tossing an idea out (that I am sure a great number of you will not
> like)...
>
> How about working with the OS security officer (and whoever else) to
> release a binary SSHD (PGP/GPG signed by the SA's of the OS's), but not
> have the patches committed into public view (CVS, etc) until you feel
> it's the rigt time to release the specifics... I would think this would
> minimize exposure while allowing people to secure their machines...
>
> Of course, this assumes that you (and other people) trust the SO's not
> to use and/or publish the information without your permission... maybe
> copywriting the source (like the OpenBSD iso) and then you can manage
> the permissions on the source patch... and release the rights on the
> patch when the moon aligns with Orion's belt....
There have been a number of noted botches relating to this approach in the
past -- several organizations (formal and informal) have attempted to
coordinate advisory release and containment of information relating to
vulnerabilities, and often some combination of {accidental leakage, early
release (oops wrong button, didn't read the date), etc, ...} occurs.
Obviously, we can agree with Theo or not about the approach that is being
adopted this time through, but I think it probably is naive to assume that
tightly controlling the information flow under the current circumstances
is entirely feasible with larger sets of operating systems and security
officers involved.
Robert N M Watson FreeBSD Core Team, TrustedBSD Projects
robert@fledge.watson.org Network Associates Laboratories
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.3.96L.1020624222533.43916H-100000>