From owner-freebsd-security  Tue Jun 25  2:36:43 2002
Delivered-To: freebsd-security@freebsd.org
Received: from mail-relay1.yahoo.com (mail-relay1.yahoo.com [216.145.48.34])
	by hub.freebsd.org (Postfix) with ESMTP
	id 3361437B6A5; Tue, 25 Jun 2002 02:34:22 -0700 (PDT)
Received: from FreeBSD.org (socks1.yahoo.com [216.145.50.200])
	by mail-relay1.yahoo.com (Postfix) with ESMTP
	id 80D898B5A4; Tue, 25 Jun 2002 02:33:53 -0700 (PDT)
Message-ID: <3D1838FF.DE572927@FreeBSD.org>
Date: Tue, 25 Jun 2002 02:33:51 -0700
From: Doug Barton <DougB@FreeBSD.org>
Organization: Triborough Bridge & Tunnel Authority
X-Mailer: Mozilla 4.79 [en] (X11; U; FreeBSD 4.6-RELEASE i386)
X-Accept-Language: en
MIME-Version: 1.0
To: mjacob@feral.com
Cc: rwatson@FreeBSD.ORG, security@FreeBSD.ORG
Subject: Re: Upcoming OpenSSH vulnerability (fwd)
References: <Pine.BSF.4.21.0206242142300.86665-100000@beppo>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

Matthew Jacob wrote:
> 
> Despite DES's claim that Theo is too hard to work with, perhaps somebody who
> understands the issues could see where FreeBSD stands wrt this.

We are replacing the openssh version in -current with the latest version
of openssh-portable, and enabling privsep by default. I am unsure of the
plans to import that into -stable, however you have essentially the same
capability to do the upgrade on your -stable system through the ports.

The project does not take a stand on how third parties disclose bugs.
Neither is that subject on topic for this list. 

The options available to you have been well documented at this point:

1. Turn off openssh, and/or replace it with another product.
2. Upgrade to the privsep code and hope it makes things better.

Personally I think 2 is a reasonable option, but if you don't like it, 1
is still available. 

Hope this helps,

Doug

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message