From owner-freebsd-security Tue Jun 25 17:14:30 2002 Delivered-To: freebsd-security@freebsd.org Received: from cithaeron.argolis.org (pool-138-88-127-183.res.east.verizon.net [138.88.127.183]) by hub.freebsd.org (Postfix) with ESMTP id 448E237B401; Tue, 25 Jun 2002 17:14:20 -0700 (PDT) Received: from cithaeron.argolis.org (localhost [127.0.0.1]) by cithaeron.argolis.org (8.12.3/8.12.3) with ESMTP id g5Q0E7IK005180; Tue, 25 Jun 2002 20:14:07 -0400 (EDT) (envelope-from piechota@argolis.org) Received: from localhost (piechota@localhost) by cithaeron.argolis.org (8.12.3/8.12.3/Submit) with ESMTP id g5Q0E7Wt005177; Tue, 25 Jun 2002 20:14:07 -0400 (EDT) X-Authentication-Warning: cithaeron.argolis.org: piechota owned process doing -bs Date: Tue, 25 Jun 2002 20:14:06 -0400 (EDT) From: Matt Piechota To: Theo de Raadt Cc: "Jacques A. Vidrine" , Subject: Re: Hogwash In-Reply-To: <200206250058.g5P0wgLJ021374@cvs.openbsd.org> Message-ID: <20020625200442.B5151-100000@cithaeron.argolis.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, 24 Jun 2002, Theo de Raadt wrote: > > Still, we'll all be much more at ease once all the cards are on the > > table. I appreciate that you are trying to prepare users, but forgive > > me if I don't agree that witholding the details is the best approach. > > So please, humour me. Who precisely should I be telling this > information to, who isn't going to leak it, ship patches to their > customers early, etc. Since I started this (somewhat), I'll clarify what I meant: I would be nice if only a version spread were mentioned. It's implied that it's all OpenSSH before 3.3p1, but that wasn't quite clear. It talked a lot about privsep, and I was hoping that it was only a privsep problem and not affect me. Obviously, you don't want to release full details without a patch, but something along the lines of: There's a hole in OpenSSH that affects all versions. It's a remote DOS, and may cause a root hole. Use privsep if you can. I know that's almost what you said, but IMHO it's just a touch clearer, so there's no doubt what needs to be done. -- Matt Piechota To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message