From owner-freebsd-security  Mon Jun 24 22:11: 3 2002
Delivered-To: freebsd-security@freebsd.org
Received: from yello.shallow.net (yello.shallow.net [203.18.243.120])
	by hub.freebsd.org (Postfix) with ESMTP id 0C16537B401
	for <freebsd-security@FreeBSD.ORG>; Mon, 24 Jun 2002 22:10:58 -0700 (PDT)
Received: by yello.shallow.net (Postfix, from userid 1001)
	id 875842A6B; Tue, 25 Jun 2002 15:10:51 +1000 (EST)
Date: Tue, 25 Jun 2002 15:10:51 +1000
From: Joshua Goodall <joshua@roughtrade.net>
To: Theo de Raadt <deraadt@openbsd.org>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: Hogwash
Message-ID: <20020625051051.GA4009@roughtrade.net>
References: <200206242327.g5ONRBLI012690@cvs.openbsd.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <200206242327.g5ONRBLI012690@cvs.openbsd.org>
User-Agent: Mutt/1.5.1i
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

Hi Theo,

Something I would like to know - and I think you can tell us without
compromising much - is whether 3.4 will be more than 3.3 + fix for
this exploit.  This will help those who roll our own packages/maintain
large deployments to plan in advance.  (i.e. will we need an hour
or a day to merge changes?)

Joshua

On Mon, Jun 24, 2002 at 05:27:11PM -0600, Theo de Raadt wrote:
> > Nobody is `in' on the bug.  The OpenSSH team has given details to no
> > one so far, so we are assured to be blindsided.  I'm afraid security
> > contacts with various projects and vendors know no more than what was
> > said in the bugtraq posting.
> 
> Bullshit.
> 
> You have been told to move up to privsep so that you are immunized by
> the time the bug is released.
> 
> If you fail to immunize your users, then the best you can do is tell
> them to disable OpenSSH until 3.4 is out early next week with the
> bugfix in it.  Of course, then the bug will be public.
> 
> I am not nearly naive enough to believe that we can release a patch
> for this issue to any vendor, and have it not leak immediately.
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message