From owner-freebsd-security Wed Jun 26 11:59:55 2002 Delivered-To: freebsd-security@freebsd.org Received: from cvs.openbsd.org (cvs.openbsd.org [199.185.137.3]) by hub.freebsd.org (Postfix) with ESMTP id 9F98837BBFC for ; Wed, 26 Jun 2002 11:53:32 -0700 (PDT) Received: from cvs.openbsd.org (deraadt@localhost [127.0.0.1]) by cvs.openbsd.org (8.12.4/8.12.1) with ESMTP id g5QIsNLI015235; Wed, 26 Jun 2002 12:54:23 -0600 (MDT) Message-Id: <200206261854.g5QIsNLI015235@cvs.openbsd.org> To: Travis Cole Cc: freebsd-security@freebsd.org Subject: Re: Wow In-reply-to: Your message of "Wed, 26 Jun 2002 14:51:27 EDT." <20020626185126.GB35484@ainaz.pair.com> Date: Wed, 26 Jun 2002 12:54:23 -0600 From: Theo de Raadt Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > On Wed, Jun 26, 2002 at 11:41:03AM -0600, Theo de Raadt wrote: > > Man, you guys sure do talk shit a lot. But anyways, that is hardly > > surprising or news. > > > > I do have a question though. > > > > Did any of you get broken in via this hole yet? > > Nope. Just wasted a good part of yesterday upgrading 60 boxes > from a non-vulnerable version of OpenSSH to a version with a now > known remote exploit. > > I think the PR for this issue could have been a bit better... We also did 5600 lines of further security auditing work over the last week. We're fairly convinced that some of the things we changed are relevant as well. ie. more holes. And that is commited in 3.4 By all means. Please continue running what you have. Don't upgrade to 3.4. And please turn privsep off. Or, please, use someone else's software. Please. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message