Date: Tue, 25 Jun 2002 13:09:28 +1000 From: "Chris Knight" <chris@aims.com.au> To: <freebsd-security@freebsd.org> Cc: <keith.stevenson@louisville.edu> Subject: RE: Hogwash Message-ID: <005301c21bf5$b8d32ce0$020aa8c0@aims.private> In-Reply-To: <20020624225524.A96380@osaka.louisville.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
Howdy, > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Keith > Stevenson > Sent: Tuesday, 25 June 2002 12:55 > To: Jacques A. Vidrine > Cc: freebsd-security@FreeBSD.ORG > Subject: Re: Hogwash > > I hate to intrude on the conversation, but what is FreeBSD's > official response to this? Posturing and full-disclosure debates > aside, I'm inclined to take Theo's warning at face value. I > know better than to expect my commercial UNIX vendor to act > swiftly, but I've come to expect more from the FreeBSD project. > If FreeBSD is going to wait until after the exploits are > published, please let us know now so I can plan appropriately. > I don't know what the official response will be, but given the lack of information regarding the exploit, plus it's effect on a privsep enabled ssh, it would be mad not to recommend either turning off sshd, or where that is not possible, use firewalling rules to restrict ssh access to a limited number of hosts. I can understand Theo's concern, but the side effect of his actions is simply causing FUD. There will be no guarantee that vendor implementation of privsep will stop the exploit, so turning ssh off or restricting its access is the wisest course of action. > Regards, > --Keith Stevenson-- > Regards, Chris Knight Systems Administrator AIMS Independent Computer Professionals Tel: +61 3 6334 6664 Fax: +61 3 6331 7032 Mob: +61 419 528 795 Web: http://www.aims.com.au To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?005301c21bf5$b8d32ce0$020aa8c0>