Date: Tue, 25 Jun 2002 01:46:04 -0400 (EDT) From: Chris BeHanna <behanna@zbzoom.net> To: FreeBSD Security <security@freebsd.org> Subject: Re: [openssh-unix-announce] Re: Upcoming OpenSSH vulnerability (fwd) Message-ID: <20020625013911.J7245-100000@topperwein.dyndns.org> In-Reply-To: <200206250233.g5P2XBZi009480@khavrinen.lcs.mit.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 24 Jun 2002, Garrett Wollman wrote:
> <<On Mon, 24 Jun 2002 21:35:06 -0400 (EDT), Chris BeHanna <behanna@zbzoom.net> said:
>
> > Result: it's possible to completely prevent the window of
> > vulnerability that usually exists between the announcement of an
> > exploit and the availability of a fix for same.
>
> Only if you run absolutely stock, bog-standard OpenSSH. Many of us
> have different operational requirements.
I can appreciate and sympathize with that; however, how much do
you expect the *volunteers* at OpenBSD to do? There may be many
variant versions of OpenSSH out there; you can't expect the OpenBSD
crew to test with all of them.
Theo *could* sit on this a little longer until the privsep code is
better tested in the field and until most of the PAM problems are
sorted out. Doing so risks that crackers will discover the exploit,
if they haven't already. Theo's decided (correct me if I'm wrong,
Theo) that the risk of exploitation is greater than the risk due to
problems with the new feature. You may disagree. You're not paying
anything for the software.
An option open to you is to take the privsep code and patch it
into your working version of OpenSSH on a test machine and put it
through its paces before you deploy it in production. The OpenBSD
folks might even help you if you ask nicely and if they have time.
That likelihood may increase if the effort is funded.
Having been in an "ohmygodihavetoupgradethisnowtoplugahole" frame
of mind, I imagine that Theo is in put-out-the-fire mode right now,
and that has led to the decisions that he has made. Once again,
you're not paying for the software.
As for me, I'm going to warn my clients and offer to assist them
at no charge. I will share what I learn freely, provided that I don't
trip over the exploit myself, in which case I'll hold that back until
after Theo has published the patch.
--
Chris BeHanna
Software Engineer (Remove "bogus" before responding.)
behanna@bogus.zbzoom.net
Turning coffee into software since 1990.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020625013911.J7245-100000>