From owner-freebsd-security Mon Jun 24 22:46:17 2002 Delivered-To: freebsd-security@freebsd.org Received: from topperwein.dyndns.org (acs-24-154-28-203.zoominternet.net [24.154.28.203]) by hub.freebsd.org (Postfix) with ESMTP id 9F69D37B405 for ; Mon, 24 Jun 2002 22:46:11 -0700 (PDT) Received: from topperwein (topperwein [192.168.168.10]) by topperwein.dyndns.org (8.12.3/8.12.3) with ESMTP id g5P5kALq008637 for ; Tue, 25 Jun 2002 01:46:10 -0400 (EDT) (envelope-from behanna@zbzoom.net) Date: Tue, 25 Jun 2002 01:46:04 -0400 (EDT) From: Chris BeHanna Reply-To: Chris BeHanna To: FreeBSD Security Subject: Re: [openssh-unix-announce] Re: Upcoming OpenSSH vulnerability (fwd) In-Reply-To: <200206250233.g5P2XBZi009480@khavrinen.lcs.mit.edu> Message-ID: <20020625013911.J7245-100000@topperwein.dyndns.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, 24 Jun 2002, Garrett Wollman wrote: > < said: > > > Result: it's possible to completely prevent the window of > > vulnerability that usually exists between the announcement of an > > exploit and the availability of a fix for same. > > Only if you run absolutely stock, bog-standard OpenSSH. Many of us > have different operational requirements. I can appreciate and sympathize with that; however, how much do you expect the *volunteers* at OpenBSD to do? There may be many variant versions of OpenSSH out there; you can't expect the OpenBSD crew to test with all of them. Theo *could* sit on this a little longer until the privsep code is better tested in the field and until most of the PAM problems are sorted out. Doing so risks that crackers will discover the exploit, if they haven't already. Theo's decided (correct me if I'm wrong, Theo) that the risk of exploitation is greater than the risk due to problems with the new feature. You may disagree. You're not paying anything for the software. An option open to you is to take the privsep code and patch it into your working version of OpenSSH on a test machine and put it through its paces before you deploy it in production. The OpenBSD folks might even help you if you ask nicely and if they have time. That likelihood may increase if the effort is funded. Having been in an "ohmygodihavetoupgradethisnowtoplugahole" frame of mind, I imagine that Theo is in put-out-the-fire mode right now, and that has led to the decisions that he has made. Once again, you're not paying for the software. As for me, I'm going to warn my clients and offer to assist them at no charge. I will share what I learn freely, provided that I don't trip over the exploit myself, in which case I'll hold that back until after Theo has published the patch. -- Chris BeHanna Software Engineer (Remove "bogus" before responding.) behanna@bogus.zbzoom.net Turning coffee into software since 1990. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message