From owner-freebsd-security  Mon Jun 24 20:42:46 2002
Delivered-To: freebsd-security@freebsd.org
Received: from nexusxi.com (balistraria.nexusxi.com [216.123.202.196])
	by hub.freebsd.org (Postfix) with SMTP id 9899837B4A3
	for <freebsd-security@freebsd.org>; Mon, 24 Jun 2002 20:41:54 -0700 (PDT)
Received: (qmail 7195 invoked by uid 1000); 25 Jun 2002 03:41:53 -0000
Date: Mon, 24 Jun 2002 21:41:53 -0600
From: "Dalin S. Owen" <dowen@nexusxi.com>
To: freebsd-lists@albury.net.au
Cc: freebsd-security@freebsd.org
Subject: Re: Hogwash
Message-ID: <20020624214153.B7100@nexusxi.com>
References: <005301c21bf5$b8d32ce0$020aa8c0@aims.private> <Pine.BSF.4.31.0206251323120.43654-100000@giroc.albury.net.au>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-md5;
	protocol="application/pgp-signature"; boundary="61jdw2sOBCFtR2d/"
Content-Disposition: inline
User-Agent: Mutt/1.2.5.1i
In-Reply-To: <Pine.BSF.4.31.0206251323120.43654-100000@giroc.albury.net.au>; from freebsd-lists@albury.net.au on Tue, Jun 25, 2002 at 01:28:08PM +1000
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org


--61jdw2sOBCFtR2d/
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable


Trusting TCP wrappers is like trusting inetd with heavy load. :)

On Tue, Jun 25, 2002 at 01:28:08PM +1000, freebsd-lists@albury.net.au wrote:
>=20
> On Tue, 25 Jun 2002, Chris Knight wrote:
>=20
> > I don't know what the official response will be, but given the lack
> > of information regarding the exploit, plus it's effect on a privsep
> > enabled ssh, it would be mad not to recommend either turning off
> > sshd, or where that is not possible, use firewalling rules to
> > restrict ssh access to a limited number of hosts.
>=20
> Does anyone know how hosts.allow rules (and/or tcpwrappers) will affect
> this vulnerability?
>=20
> If one has
>    sshd: ip.of.trusted.host, ip.of.also-trusted.host
> in /etc/hosts.allow, is that still "sufficiently" safe to live with in
> the short term?
>=20
> TIA,
> RossW
>=20
>=20
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message

--=20
Regards,

Dalin S. Owen
Nexus XI Corp.

Email: dowen@nexusxi.com
Web: http://www.nexusxi.com/

--61jdw2sOBCFtR2d/
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAj0X5oAACgkQKZhyFXMVXuJJHgCfenI9SHTNv993UfN56HTdh9fP
UqIAoNGhsLKGC3zzHrnc0shwgy8H00GK
=aZF3
-----END PGP SIGNATURE-----

--61jdw2sOBCFtR2d/--

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message