From owner-freebsd-security  Tue Jun 25  1:54:35 2002
Delivered-To: freebsd-security@freebsd.org
Received: from cvs.openbsd.org (cvs.openbsd.org [199.185.137.3])
	by hub.freebsd.org (Postfix) with ESMTP id 0711037B404
	for <freebsd-security@FreeBSD.ORG>; Tue, 25 Jun 2002 01:54:27 -0700 (PDT)
Received: from cvs.openbsd.org (deraadt@localhost [127.0.0.1])
	by cvs.openbsd.org (8.12.4/8.12.1) with ESMTP id g5P8tALJ009445;
	Tue, 25 Jun 2002 02:55:11 -0600 (MDT)
Message-Id: <200206250855.g5P8tALJ009445@cvs.openbsd.org>
To: Joshua Goodall <joshua@roughtrade.net>
Cc: Theo de Raadt <deraadt@openbsd.org>, freebsd-security@FreeBSD.ORG
Subject: Re: Hogwash 
In-reply-to: Your message of "Tue, 25 Jun 2002 15:10:51 +1000."
             <20020625051051.GA4009@roughtrade.net> 
Date: Tue, 25 Jun 2002 02:55:10 -0600
From: Theo de Raadt <deraadt@cvs.openbsd.org>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

I think our intent is to make 3.4 be 3.3.1 + the fix.

If it isn't, we are going to try to make it easy in some other way.

Be ready on Monday morning for a small patch, and simple roll-out.

> Something I would like to know - and I think you can tell us without
> compromising much - is whether 3.4 will be more than 3.3 + fix for
> this exploit.  This will help those who roll our own packages/maintain
> large deployments to plan in advance.  (i.e. will we need an hour
> or a day to merge changes?)
> 
> Joshua
> 
> On Mon, Jun 24, 2002 at 05:27:11PM -0600, Theo de Raadt wrote:
> > > Nobody is `in' on the bug.  The OpenSSH team has given details to no
> > > one so far, so we are assured to be blindsided.  I'm afraid security
> > > contacts with various projects and vendors know no more than what was
> > > said in the bugtraq posting.
> > 
> > Bullshit.
> > 
> > You have been told to move up to privsep so that you are immunized by
> > the time the bug is released.
> > 
> > If you fail to immunize your users, then the best you can do is tell
> > them to disable OpenSSH until 3.4 is out early next week with the
> > bugfix in it.  Of course, then the bug will be public.
> > 
> > I am not nearly naive enough to believe that we can release a patch
> > for this issue to any vendor, and have it not leak immediately.
> > 
> > To Unsubscribe: send mail to majordomo@FreeBSD.org
> > with "unsubscribe freebsd-security" in the body of the message

x1

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message