Date: Mon, 24 Jun 2002 19:53:18 -0500 From: "Jacques A. Vidrine" <nectar@FreeBSD.ORG> To: Theo de Raadt <deraadt@cvs.openbsd.org> Cc: freebsd-security@FreeBSD.ORG Subject: Re: Hogwash Message-ID: <20020625005318.GB43386@madman.nectar.cc> In-Reply-To: <200206242327.g5ONRBLI012690@cvs.openbsd.org> References: <200206242327.g5ONRBLI012690@cvs.openbsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Jun 24, 2002 at 05:27:11PM -0600, Theo de Raadt wrote: > > Nobody is `in' on the bug. The OpenSSH team has given details to no > > one so far, so we are assured to be blindsided. I'm afraid security > > contacts with various projects and vendors know no more than what was > > said in the bugtraq posting. > > Bullshit. You are reacting to my `blindsided' comment. The rest is factual, AFAIK, and your comments below seem to underline that. > You have been told to move up to privsep so that you are immunized by > the time the bug is released. > > If you fail to immunize your users, then the best you can do is tell > them to disable OpenSSH until 3.4 is out early next week with the > bugfix in it. Of course, then the bug will be public. > > I am not nearly naive enough to believe that we can release a patch > for this issue to any vendor, and have it not leak immediately. Still, we'll all be much more at ease once all the cards are on the table. I appreciate that you are trying to prepare users, but forgive me if I don't agree that witholding the details is the best approach. Cheers, -- Jacques A. Vidrine <n@nectar.cc> http://www.nectar.cc/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020625005318.GB43386>