Date: Mon, 24 Jun 2002 18:50:23 -0700 (PDT) From: Jason Stone <jason-fbsd-security@shalott.net> To: FreeBSD Security <security@freebsd.org> Cc: <deraadt@cvs.openbsd.org> Subject: Re: [openssh-unix-announce] Re: Upcoming OpenSSH vulnerability (fwd) Message-ID: <20020624183837.P40482-100000@walter> In-Reply-To: <20020624212557.R7245-100000@topperwein.dyndns.org>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > Although I sympathize with the desire to be able to make informed > decisions regarding older versions of supported software that's in the > field, I have to say that I side with Theo here: We're being warned that > a critical exploit will be published in a few days, along with the > simultaneous release of a version of the software that fixes the bug > that leads to the exploit, AND we're being told how to immunize > ourselves against the exploit--using currently-available > software--several days in advance of the announcement. 1) The problem for us is that we're still using openssh-2.x in -STABLE, so privelege separation isn't an really an option. 2) Privelege separaration, while a great idea, is not the same as there being no bug - there is still an exploitable bug in the openssh code. And it seems to me that much time is being wasted pointing fingers about why vendors aren't helping with privelege separation; stop complaining about vendors and fix the bugs in your code. 3) If the openssh team has discovered the bug, the black hats have already discovered it as well. Delaying publication only gives the blackhats notice that they'd better hack as many systems as they can before the fix comes out. Release now and let the community help you fix the bug (since apparently it's so complicated that you can't fix it right away on your own...). -Jason ----------------------------------------------------------------------- I worry about my child and the Internet all the time, even though she's too young to have logged on yet. Here's what I worry about. I worry that 10 or 15 years from now, she will come to me and say "Daddy, where were you when they took freedom of the press away from the Internet?" -- Mike Godwin -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQE9F8xfswXMWWtptckRAiVUAJ9UlKcwpvWhciUgw0jta7R/IXnFkQCgmNqQ 7JlLP+gHMHcfDDX2KI4oJjk= =Q8o7 -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020624183837.P40482-100000>