From owner-freebsd-security Wed Jun 26 9:47:49 2002 Delivered-To: freebsd-security@freebsd.org Received: from obsidian.sentex.ca (obsidian.sentex.ca [64.7.128.101]) by hub.freebsd.org (Postfix) with ESMTP id 48EAD37B416 for ; Wed, 26 Jun 2002 09:46:27 -0700 (PDT) Received: from simian.sentex.net (pyroxene.sentex.ca [199.212.134.18]) by obsidian.sentex.ca (8.12.4/8.12.4) with ESMTP id g5QGkMxd013814; Wed, 26 Jun 2002 12:46:23 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <5.1.0.14.0.20020626124711.053ff7c8@marble.sentex.ca> X-Sender: mdtpop@marble.sentex.ca X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Wed, 26 Jun 2002 12:49:14 -0400 To: Brett Glass , Darren Reed From: Mike Tancsa Subject: Re: The "race" that Theo sought to avoid has begun (Was: OpenSSH Advisory) Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <4.3.2.7.2.20020626101626.02274c80@localhost> References: <5.1.0.14.0.20020626110043.0522ded8@marble.sentex.ca> <200206261452.AAA26617@caligula.anu.edu.au> <5.1.0.14.0.20020626103651.048ec778@marble.sentex.ca> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: By Sentex Communications (obsidian/20020220) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I really dont want to get into what was intended and the politics of when what was released etc. Thats best on another list. I only wanted to get as much clarity on how to either upgrade or work around the security issue in an expedient and safe manner relevant for my network. ---Mike At 10:23 AM 26/06/2002 -0600, Brett Glass wrote: >Mike: > >It is clear that Theo was attempting to have people apply the workaround >which had the least chance of revealing the nature of the bug in advance, >lest it be discovered by others and exploited. > >It's truly sad that ISS, which knew about Theo's advisory, released this >information today, instead of next week as Theo asked them to. If Theo's >roadmap for disclosure had been followed, more administrators could have >been informed about the bug, and they would have had time to take >preventive measures through the weekend before the skript kiddies began >their race to exploit the bug. Now, the race has begun. In fact, the >problem has been exacerbated because administrators who *could* have >secured their systems thought they'd have time to do so over the weekend. > >Theo made a worthy attempt to minimize harm (which should be the goal of >any security policy). It's a shame that ISS sought the spotlight instead >of doing the same. > >--Brett Glass > >At 09:10 AM 6/26/2002, Mike Tancsa wrote: > > >>Also, the ISS advisory states >> >>"Administrators can remove this vulnerability by disabling the >>Challenge-Response authentication parameter within the OpenSSH daemon >>configuration file. This filename and path is typically: >>/etc/ssh/sshd_config. To disable this parameter, locate the corresponding >>line and change it to the line below: ChallengeResponseAuthentication no " >> >>This would imply there is a work around, but the talk before hand >> >>----quote from Message-Id: <200206242327.g5ONRBLI012690@cvs.openbsd.org>--- >> >>Bullshit. >> >>You have been told to move up to privsep so that you are immunized by >>the time the bug is released. >> >>If you fail to immunize your users, then the best you can do is tell >>them to disable OpenSSH until 3.4 is out early next week with the >>bugfix in it. Of course, then the bug will be public. >>----end-quote--- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message