From owner-freebsd-security  Wed Jun 26  9:44:19 2002
Delivered-To: freebsd-security@freebsd.org
Received: from lariat.org (lariat.org [63.229.157.2])
	by hub.freebsd.org (Postfix) with ESMTP id 6E66D37B401
	for <freebsd-security@FreeBSD.ORG>; Wed, 26 Jun 2002 09:44:05 -0700 (PDT)
Received: from mustang.lariat.org (IDENT:ppp1000.lariat.org@lariat.org [63.229.157.2])
	by lariat.org (8.9.3/8.9.3) with ESMTP id KAA11846;
	Wed, 26 Jun 2002 10:43:52 -0600 (MDT)
X-message-flag: Warning! Use of Microsoft Outlook is dangerous and makes your system susceptible to Internet worms.
Message-Id: <4.3.2.7.2.20020626103956.02291aa0@localhost>
X-Sender: brett@localhost
X-Mailer: QUALCOMM Windows Eudora Version 4.3.2
Date: Wed, 26 Jun 2002 10:43:47 -0600
To: Benjamin Krueger <benjamin@seattleFenix.net>
From: Brett Glass <brett@lariat.org>
Subject: Re: The "race" that Theo sought to avoid has begun (Was:
  OpenSSH Advisory)
Cc: Mike Tancsa <mike@sentex.net>,
	Darren Reed <avalon@coombs.anu.edu.au>, freebsd-security@FreeBSD.ORG
In-Reply-To: <20020626093538.B8071@mail.seattleFenix.net>
References: <4.3.2.7.2.20020626101626.02274c80@localhost>
 <200206261452.AAA26617@caligula.anu.edu.au>
 <5.1.0.14.0.20020626103651.048ec778@marble.sentex.ca>
 <5.1.0.14.0.20020626110043.0522ded8@marble.sentex.ca>
 <4.3.2.7.2.20020626101626.02274c80@localhost>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

At 10:35 AM 6/26/2002, Benjamin Krueger wrote:

>  Minimized harm? The great majority of systems are (were) not vulnerable. 

Not true at all. OpenBSD, NetBSD, and most recent Linux distributions were
and are vulnerable.

>As for the start of the race? It started the minute Theo's notice hit bugtraq.

No, it didn't. The skript kiddies didn't know where the bug was.

>  Had he said "Use PrivSep or disable ChallengeResponseAuthentication" anyone
>who *was* vulnerable could have been secured in about 24 seconds. 

He DID say to use PrivSep. He did not say to disable 
ChallengeResponseAuthentication for a reason: it would have clued the kiddies
into the location of the bug.

>Somehow, I
>don't think that the script kiddies could can find the vulnerability from
>such minimal information, 

Mentioning ChallengeResponseAuthentication would have been a big hint.

>  I won't even start on how much industry time (and thus, money) was wasted
>while administrators upgraded (many needlessly) their servers. 

Most needed to upgrade. FreeBSD's releases appear to have dodged the bullet 
by sheer luck.

--Brett


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message