Date: Tue, 25 Jun 2002 15:10:51 +1000 From: Joshua Goodall <joshua@roughtrade.net> To: Theo de Raadt <deraadt@openbsd.org> Cc: freebsd-security@FreeBSD.ORG Subject: Re: Hogwash Message-ID: <20020625051051.GA4009@roughtrade.net> In-Reply-To: <200206242327.g5ONRBLI012690@cvs.openbsd.org> References: <200206242327.g5ONRBLI012690@cvs.openbsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Theo, Something I would like to know - and I think you can tell us without compromising much - is whether 3.4 will be more than 3.3 + fix for this exploit. This will help those who roll our own packages/maintain large deployments to plan in advance. (i.e. will we need an hour or a day to merge changes?) Joshua On Mon, Jun 24, 2002 at 05:27:11PM -0600, Theo de Raadt wrote: > > Nobody is `in' on the bug. The OpenSSH team has given details to no > > one so far, so we are assured to be blindsided. I'm afraid security > > contacts with various projects and vendors know no more than what was > > said in the bugtraq posting. > > Bullshit. > > You have been told to move up to privsep so that you are immunized by > the time the bug is released. > > If you fail to immunize your users, then the best you can do is tell > them to disable OpenSSH until 3.4 is out early next week with the > bugfix in it. Of course, then the bug will be public. > > I am not nearly naive enough to believe that we can release a patch > for this issue to any vendor, and have it not leak immediately. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020625051051.GA4009>