From owner-freebsd-security  Mon Jun 24 20:31:50 2002
Delivered-To: freebsd-security@freebsd.org
Received: from cvs.openbsd.org (cvs.openbsd.org [199.185.137.3])
	by hub.freebsd.org (Postfix) with ESMTP
	id 67B9937B401; Mon, 24 Jun 2002 20:31:43 -0700 (PDT)
Received: from cvs.openbsd.org (deraadt@localhost [127.0.0.1])
	by cvs.openbsd.org (8.12.4/8.12.1) with ESMTP id g5P3WQLJ024062;
	Mon, 24 Jun 2002 21:32:26 -0600 (MDT)
Message-Id: <200206250332.g5P3WQLJ024062@cvs.openbsd.org>
To: Sean Kelly <smkelly@zombie.org>
Cc: Ted Cabeen <secabeen@pobox.com>,
	"Jacques A. Vidrine" <nectar@FreeBSD.ORG>,
	freebsd-security@FreeBSD.ORG
Subject: Re: Hogwash 
In-reply-to: Your message of "Mon, 24 Jun 2002 22:29:27 CDT."
             <20020625032927.GA6579@edgemaster.zombie.org> 
Date: Mon, 24 Jun 2002 21:32:26 -0600
From: Theo de Raadt <deraadt@cvs.openbsd.org>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

This one is clearly different.  We have a tool which can avoid people being
holed, without having to publish a patch.

If you don't understand that, please go back and study the situation more.

By holding this information back for a few more days, we are
permitting a very important protocol to be upgraded in an immune way,
OR YOU CAN TURN IT OFF NOW.

> On Mon, Jun 24, 2002 at 08:03:08PM -0600, Theo de Raadt wrote:
> > I'm not giving away any hints.  Assume the worst and do the upgrade,
> > and if you dislike the way I handled this, don't buy me that beer
> > later.
> 
> I'm just curious when this OpenBSD policy change took effect.  According to
> http://www.openbsd.org/security.html#disclosure:
> 
>      Full Disclosure
>           Like many readers of the BUGTRAQ mailing list, we believe in
>           full disclosure of security problems. In the operating system
>           arena, we were probably the first to embrace the concept. Many
>           vendors, even of free software, still try to hide issues from
>           their users.
> 
>           Security information moves very fast in cracker circles. On the
>           other hand, our experience is that coding and releasing of
>           proper security fixes typically requires about an hour of work
>           -- very fast fix turnaround is possible. Thus we think that
>           full disclosure helps the people who really care about
>           security.
> 
> Not all of us are in the position to use cutting edge OpenSSH-portable
> versions. By you holding back this information, you are only hurting those
> who *CAN'T* upgrade to your latest and greatest. Has there actually been
> enough testing of privsep to say that it contains no bugs? It seems to me
> that we'd all be better off if you just released a diff and let us all fix
> our own wounds.
> 
> -- 
> Sean Kelly         | PGP KeyID: 77042C7B
> smkelly@zombie.org | http://www.zombie.org


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message