From owner-freebsd-security Mon Jun 24 21:49:25 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail.interchange.ca (ns.interchange.ca [216.126.79.2]) by hub.freebsd.org (Postfix) with ESMTP id 7204137B401 for ; Mon, 24 Jun 2002 21:49:19 -0700 (PDT) Received: by mail.interchange.ca (Fastmailer, from userid 555) id 56B1B2D83; Tue, 25 Jun 2002 00:49:11 -0400 (EDT) MIME-Version: 1.0 Message-Id: <3D17F647.000045.31912@ns.interchange.ca> Content-Type: Multipart/Mixed; boundary="------------Boundary-00=_Z1W8O2D1VX7NTT4D7TH0" To: security@FreeBSD.ORG Subject: Re: Upcoming OpenSSH vulnerability From: "Michael Richards" X-Fastmail-IP: [24.43.130.241] Received: from 24.43.130.241 by www.fastmail.ca with HTTP; Tue, 25 Jun 2002 04:49:11 +0000 (UTC) Date: Tue, 25 Jun 2002 00:49:11 -0400 (EDT) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --------------Boundary-00=_Z1W8O2D1VX7NTT4D7TH0 Content-Type: Text/Plain Content-Transfer-Encoding: 7bit Does anyone feel like they're being held over a barrel and forced to take something being told that it's good for them? Perhaps this new privledge separation thing is good but since it seems to be really new and neither well tested nor well integrated into any of the OSes it seems like something I'd rather not be taking uninformed. After reviewing the code of the new 3.3.1p I've located a very simple yet obscure root exploit for this new version that everyone is blindly rushing to install because someone says there is a hole in the old one. Everyone is being rushed because someone wants to break into all the systems and install OpenBSD on them while we're asleep. I'm not going to tell anyone about this new exploit because then someone _else_ will probably fix it. Pretty silly huh? Maybe we should turn the internet off until the end of the week so all the sysadmins can patch their stuff. As someone else suggested, if this secret patch is really so important to keep crackers from coming up with their own exploits, why not just compile a bunch of binaries and distribute them. I'd be more thank happy to donate some CPU time toward this cause. Having said this, at some point source will have to be made public that fixes this bug. Or is the issue more than only one individual knows about it and as a result there is one person working to patch it? -Michael _________________________________________________________________ http://fastmail.ca/ - Fast Secure Web Email for Canadians --------------Boundary-00=_Z1W8O2D1VX7NTT4D7TH0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message