From owner-freebsd-security Mon Jun 24 19:52:44 2002 Delivered-To: freebsd-security@freebsd.org Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153]) by hub.freebsd.org (Postfix) with ESMTP id A641237B401; Mon, 24 Jun 2002 19:52:33 -0700 (PDT) Received: from madman.nectar.cc (madman.nectar.cc [10.0.1.111]) by gw.nectar.cc (Postfix) with ESMTP id 314E84C; Mon, 24 Jun 2002 21:52:33 -0500 (CDT) Received: from madman.nectar.cc (localhost [IPv6:::1]) by madman.nectar.cc (8.12.3/8.12.3) with ESMTP id g5P2qWiD043854; Mon, 24 Jun 2002 21:52:32 -0500 (CDT) (envelope-from nectar@madman.nectar.cc) Received: (from nectar@localhost) by madman.nectar.cc (8.12.3/8.12.3/Submit) id g5P2qWue043853; Mon, 24 Jun 2002 21:52:32 -0500 (CDT) Date: Mon, 24 Jun 2002 21:52:32 -0500 From: "Jacques A. Vidrine" To: Robert Watson Cc: FreeBSD Security Subject: Re: [openssh-unix-announce] Re: Upcoming OpenSSH vulnerability (fwd) Message-ID: <20020625025232.GC43738@madman.nectar.cc> References: <20020624220229.A92101@cowbert.2y.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4i X-Url: http://www.nectar.cc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Jun 24, 2002 at 10:18:19PM -0400, Robert Watson wrote: > In order to do this and maintain PAM > support, we'll be jumping from the base OpenSSH distribution to the > OpenSSH-portable distribution, which includes support for PAM (as PAM is > not used in OpenBSD). As a side note, this just forced the issue. It is kind of a historical mistake that OpenSSH-portable was not imported in the first place, and there have been several discussions to make this switch in the past. DES has been kind enough to make the switch with this upgrade (or maybe he is just trying to save some of his sanity :-) > It's not yet clear how we should handle OpenSSH and the various RELENG_4_X > branches; it might depend a bit on the complexity of the merge work and > the nature of the vulnerability once vulnerability information is > published. It entirely depends on these things. Due to the nature of the branch (minimize featuritus, just security bug fixes), my feeling is that OpenSSH will simply be patched, once we know what the problem is. One following the RELENG_4_X branches _generally_ should not need to reconfigure their systems, and this precludes most whole-package updates. > Typically for patch levels on released versions, we've adopted > a highly conservative approach for security bug fixes, avoiding complex > and risky changes and leaning in a more minimal direction. Obviously > which way we go on that one will depend on the nature of the > vulnerability. Oops, I think I just repeated what you said. Cheers, -- Jacques A. Vidrine http://www.nectar.cc/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message