Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 25 Jun 2002 02:55:10 -0600
From:      Theo de Raadt <deraadt@cvs.openbsd.org>
To:        Joshua Goodall <joshua@roughtrade.net>
Cc:        Theo de Raadt <deraadt@openbsd.org>, freebsd-security@FreeBSD.ORG
Subject:   Re: Hogwash 
Message-ID:  <200206250855.g5P8tALJ009445@cvs.openbsd.org>
In-Reply-To: Your message of "Tue, 25 Jun 2002 15:10:51 %2B1000." <20020625051051.GA4009@roughtrade.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
I think our intent is to make 3.4 be 3.3.1 + the fix.

If it isn't, we are going to try to make it easy in some other way.

Be ready on Monday morning for a small patch, and simple roll-out.

> Something I would like to know - and I think you can tell us without
> compromising much - is whether 3.4 will be more than 3.3 + fix for
> this exploit.  This will help those who roll our own packages/maintain
> large deployments to plan in advance.  (i.e. will we need an hour
> or a day to merge changes?)
> 
> Joshua
> 
> On Mon, Jun 24, 2002 at 05:27:11PM -0600, Theo de Raadt wrote:
> > > Nobody is `in' on the bug.  The OpenSSH team has given details to no
> > > one so far, so we are assured to be blindsided.  I'm afraid security
> > > contacts with various projects and vendors know no more than what was
> > > said in the bugtraq posting.
> > 
> > Bullshit.
> > 
> > You have been told to move up to privsep so that you are immunized by
> > the time the bug is released.
> > 
> > If you fail to immunize your users, then the best you can do is tell
> > them to disable OpenSSH until 3.4 is out early next week with the
> > bugfix in it.  Of course, then the bug will be public.
> > 
> > I am not nearly naive enough to believe that we can release a patch
> > for this issue to any vendor, and have it not leak immediately.
> > 
> > To Unsubscribe: send mail to majordomo@FreeBSD.org
> > with "unsubscribe freebsd-security" in the body of the message

x1

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200206250855.g5P8tALJ009445>