From owner-freebsd-security  Wed Jun 26 10:47:15 2002
Delivered-To: freebsd-security@freebsd.org
Received: from bastet.rfc822.net (bastet.rfc822.net [64.81.113.233])
	by hub.freebsd.org (Postfix) with ESMTP id 7DB1C37B400
	for <freebsd-security@FreeBSD.ORG>; Wed, 26 Jun 2002 10:47:11 -0700 (PDT)
Received: by bastet.rfc822.net (Postfix, from userid 1001)
	id A24669FD38; Wed, 26 Jun 2002 12:47:11 -0500 (CDT)
Date: Wed, 26 Jun 2002 12:47:11 -0500
From: Pete Ehlke <pde@rfc822.net>
To: freebsd-security@FreeBSD.ORG
Subject: Re: The "race" that Theo sought to avoid has begun (Was: OpenSSH Advisory)
Message-ID: <20020626174711.GB89844@rfc822.net>
References: <200206261452.AAA26617@caligula.anu.edu.au> <5.1.0.14.0.20020626103651.048ec778@marble.sentex.ca> <4.3.2.7.2.20020626101626.02274c80@localhost>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <4.3.2.7.2.20020626101626.02274c80@localhost>
User-Agent: Mutt/1.3.27i
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Wed, Jun 26, 2002 at 10:23:14AM -0600, Brett Glass wrote:
> Mike:
> 
> It is clear that Theo was attempting to have people apply the workaround 
> which had the least chance of revealing the nature of the bug in advance, 
> lest it be discovered by others and exploited.
> 
> It's truly sad that ISS, which knew about Theo's advisory, released this 
> information today, instead of next week as Theo asked them to. If Theo's 
> roadmap for disclosure had been followed, more administrators could have 
> been informed about the bug, and they would have had time to take 
> preventive measures through the weekend before the skript kiddies began 
> their race to exploit the bug. Now, the race has begun. In fact, the 
> problem has been exacerbated because administrators who *could* have 
> secured their systems thought they'd have time to do so over the weekend.
> 
ISS have claimed to me in private mail that Bugtraq sat on the advisory for
some 30 hours, and that during that 30 hour period, ISS and the openssh
team, specifically including Theo, agreed to bring forward the
announcement date. Given the timing of the initial announcement's
appearance on various lists, I'm inclined to believe them about the
first part of that claim. The second part, especially given ISS' history
of appearing to be more concerned with being first to market with
advisories than with responsible vendor notification, is open to fairly
serious debate until Theo or someone else from openssh comments. Given
the pace of events this week, though, it's certainly not out of the
question.

But then, none of this belongs on -security, anyway ;)

-P.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message