From owner-freebsd-security Wed Jun 26 13:46:28 2002 Delivered-To: freebsd-security@freebsd.org Received: from omta01.mta.everyone.net (sitemail3.everyone.net [216.200.145.37]) by hub.freebsd.org (Postfix) with ESMTP id 85E0837CC18; Wed, 26 Jun 2002 13:22:34 -0700 (PDT) Received: from sitemail.everyone.net (dsnat [216.200.145.62]) by omta01.mta.everyone.net (Postfix) with ESMTP id 8C2071C3F58; Wed, 26 Jun 2002 12:20:09 -0700 (PDT) Received: by sitemail.everyone.net (Postfix, from userid 99) id 2A8C1274E; Wed, 26 Jun 2002 12:20:09 -0700 (PDT) Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: 7bit Mime-Version: 1.0 X-Mailer: MIME-tools 5.41 (Entity 5.404) Date: Wed, 26 Jun 2002 12:20:05 -0700 (PDT) From: Muhammad Faisal Rauf Danka To: Theo de Raadt Cc: freebsd-security@freebsd.org Subject: Re: Wow Reply-To: mfrd@attitudex.com X-Originating-Ip: [202.5.134.230] Message-Id: <20020626192009.2A8C1274E@sitemail.everyone.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org privsep on privsep off wtf ? makeup your mind. do everyone a favour, let us all keep our openssh off for a few weeks, or we could firewall them, or use telnet for that matter temporarily and even if some of us do run openssh openly then it's their responsibility if they get hacked. AND YOU IN THE MEANWHILE should take some rest and release a version which will probably wont be found vulnerable atleast untill next 2 - 3 months. PLEASE!! Please, instead of wasting time in rants against you on mailing lists, and then replying them and then releasing improper advisories with no technical details and ordering people to just update cause you said so, you better be off focusing more at the code. (no offence) Regards, --------- Muhammad Faisal Rauf Danka Chief Technology Officer Gem Internet Services (Pvt) Ltd. web: www.gem.net.pk Vice President Pakistan Computer Emergency Responce Team (PakCERT) web: www.pakcert.org Chief Security Analyst Applied Technology Research Center (ATRC) web: www.atrc.net.pk --- Theo de Raadt wrote: >> On Wed, Jun 26, 2002 at 11:41:03AM -0600, Theo de Raadt wrote: >> > Man, you guys sure do talk shit a lot. But anyways, that is hardly >> > surprising or news. >> > >> > I do have a question though. >> > >> > Did any of you get broken in via this hole yet? >> >> Nope. Just wasted a good part of yesterday upgrading 60 boxes >> from a non-vulnerable version of OpenSSH to a version with a now >> known remote exploit. >> >> I think the PR for this issue could have been a bit better... > >We also did 5600 lines of further security auditing work over the last >week. We're fairly convinced that some of the things we changed are >relevant as well. ie. more holes. > >And that is commited in 3.4 > >By all means. Please continue running what you have. Don't upgrade >to 3.4. And please turn privsep off. > >Or, please, use someone else's software. > >Please. _____________________________________________________________ --------------------------- [ATTITUDEX.COM] http://www.attitudex.com/ --------------------------- _____________________________________________________________ Promote your group and strengthen ties to your members with email@yourgroup.org by Everyone.net http://www.everyone.net/?btn=tag To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message