From owner-freebsd-security Mon Jun 24 16:26:33 2002 Delivered-To: freebsd-security@freebsd.org Received: from cvs.openbsd.org (cvs.openbsd.org [199.185.137.3]) by hub.freebsd.org (Postfix) with ESMTP id DA2B337B400; Mon, 24 Jun 2002 16:26:29 -0700 (PDT) Received: from cvs.openbsd.org (deraadt@localhost [127.0.0.1]) by cvs.openbsd.org (8.12.4/8.12.1) with ESMTP id g5ONRBLI012690; Mon, 24 Jun 2002 17:27:12 -0600 (MDT) Message-Id: <200206242327.g5ONRBLI012690@cvs.openbsd.org> To: nectar@FreeBSD.ORG Cc: freebsd-security@FreeBSD.ORG Subject: Hogwash Date: Mon, 24 Jun 2002 17:27:11 -0600 From: Theo de Raadt Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > Nobody is `in' on the bug. The OpenSSH team has given details to no > one so far, so we are assured to be blindsided. I'm afraid security > contacts with various projects and vendors know no more than what was > said in the bugtraq posting. Bullshit. You have been told to move up to privsep so that you are immunized by the time the bug is released. If you fail to immunize your users, then the best you can do is tell them to disable OpenSSH until 3.4 is out early next week with the bugfix in it. Of course, then the bug will be public. I am not nearly naive enough to believe that we can release a patch for this issue to any vendor, and have it not leak immediately. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message