Date: Tue, 25 Jun 2002 00:49:11 -0400 (EDT) From: "Michael Richards" <michael@fastmail.ca> To: security@FreeBSD.ORG Subject: Re: Upcoming OpenSSH vulnerability Message-ID: <3D17F647.000045.31912@ns.interchange.ca>
next in thread | raw e-mail | index | archive | help
Does anyone feel like they're being held over a barrel and forced to
take something being told that it's good for them? Perhaps this new
privledge separation thing is good but since it seems to be really
new and neither well tested nor well integrated into any of the OSes
it seems like something I'd rather not be taking uninformed.
After reviewing the code of the new 3.3.1p I've located a very simple
yet obscure root exploit for this new version that everyone is
blindly rushing to install because someone says there is a hole in
the old one. Everyone is being rushed because someone wants to break
into all the systems and install OpenBSD on them while we're asleep.
I'm not going to tell anyone about this new exploit because then
someone _else_ will probably fix it.
Pretty silly huh? Maybe we should turn the internet off until the end
of the week so all the sysadmins can patch their stuff.
As someone else suggested, if this secret patch is really so
important to keep crackers from coming up with their own exploits,
why not just compile a bunch of binaries and distribute them. I'd be
more thank happy to donate some CPU time toward this cause. Having
said this, at some point source will have to be made public that
fixes this bug. Or is the issue more than only one individual knows
about it and as a result there is one person working to patch it?
-Michael
_________________________________________________________________
http://fastmail.ca/ - Fast Secure Web Email for Canadians
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3D17F647.000045.31912>