From owner-freebsd-security Wed Jun 26 10:27:53 2002 Delivered-To: freebsd-security@freebsd.org Received: from tesla.distributel.net (nat.MTL.distributel.NET [66.38.181.24]) by hub.freebsd.org (Postfix) with ESMTP id 47E2737B4B2 for ; Wed, 26 Jun 2002 10:27:43 -0700 (PDT) Received: (from bmilekic@localhost) by tesla.distributel.net (8.11.6/8.11.6) id g5QHOGl42385; Wed, 26 Jun 2002 13:24:16 -0400 (EDT) (envelope-from bmilekic@unixdaemons.com) Date: Wed, 26 Jun 2002 13:24:16 -0400 From: Bosko Milekic To: Brett Glass Cc: Mike Tancsa , Darren Reed , freebsd-security@FreeBSD.ORG Subject: Re: The "race" that Theo sought to avoid has begun (Was: OpenSSH Advisory) Message-ID: <20020626132416.A42340@unixdaemons.com> References: <200206261452.AAA26617@caligula.anu.edu.au> <5.1.0.14.0.20020626103651.048ec778@marble.sentex.ca> <5.1.0.14.0.20020626110043.0522ded8@marble.sentex.ca> <4.3.2.7.2.20020626101626.02274c80@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <4.3.2.7.2.20020626101626.02274c80@localhost>; from brett@lariat.org on Wed, Jun 26, 2002 at 10:23:14AM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Jun 26, 2002 at 10:23:14AM -0600, Brett Glass wrote: > Mike: > > It is clear that Theo was attempting to have people apply the workaround > which had the least chance of revealing the nature of the bug in advance, > lest it be discovered by others and exploited. > > It's truly sad that ISS, which knew about Theo's advisory, released this > information today, instead of next week as Theo asked them to. If Theo's > roadmap for disclosure had been followed, more administrators could have > been informed about the bug, and they would have had time to take > preventive measures through the weekend before the skript kiddies began > their race to exploit the bug. Now, the race has begun. In fact, the > problem has been exacerbated because administrators who *could* have > secured their systems thought they'd have time to do so over the weekend. > > Theo made a worthy attempt to minimize harm (which should be the goal of > any security policy). It's a shame that ISS sought the spotlight instead > of doing the same. > > --Brett Glass I think that what you're saying is reasonable, however, I know (now almost for a fact) that there was an exploit going around already. So, it's better than the information has been released sooner, than later. And, since it appears that the OpenSSH that ships with our -STABLE is not affected, all the easier this is for those of us who were in the middle of implementing "drastic measures" (for fear of the worst), as it allows us to step back, relax, and enjoy the fireworks. -Bosko To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message