Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 26 Jun 2002 15:38:58 -0400
From:      Bosko Milekic <bmilekic@unixdaemons.com>
To:        freebsd-security@FreeBSD.ORG
Subject:   Re: Wow [OpenSSH solutions]
Message-ID:  <20020626153858.A43920@unixdaemons.com>
In-Reply-To: <1025118105.443.8.camel@ech.maverik.com>; from tstevenson@maverik.com on Wed, Jun 26, 2002 at 01:01:45PM -0600
References:  <200206261741.g5QHf3LI027927@cvs.openbsd.org> <867kklaneg.fsf@blade-runner.mit.edu> <1025118105.443.8.camel@ech.maverik.com>

next in thread | previous in thread | raw e-mail | index | archive | help

Folks,

  Please stop this _now_.  We really don't need to see any of this
  anymore and what's happening, as a result, is that those folks who are
  stuck having to weed through this thread to find the actual solution
  can no longer do that effectively, because it is cluttered with
  people complaining about this and that.

  While I understand frustrations from all different angles, and while
  it would be wrong for me to argue that those frustrations are
  unreasonable, we need to compromise and let things slide.
  
  Let's suck it up here and make, if anything, one act that benefits the
  community as a whole.  There was a problem with OpenSSH, it may or may
  not have been perfectly handled, but what happened happened.  And now
  we have to move on.

  freebsd-security, your options are:

  1) If you run -STABLE, and you _really_ cannot upgrade for some
  reason to OpenSSH 3.4, staying with the version in -STABLE should be
  OK for what concerns this particular problem; consider allocating the
  resources for that upgrade Real Soon Now, though.  If you insist, stay
  where you are, and I'm sure we'll be getting something from the
  security-officer suggesting to follow with option (2) below; If you're
  running -CURRENT, go to option (2) immediately.

  2) Upgrade to 3.4, not only does it properly solve the problem ISS and
  the OpenSSH team has warned us about, but it also solves several other
  issues that may be related to security.  It's the new version, it's
  production, and it's what anyone who has the resources should move to,
  now that we know the nature of the problem.  Trust me, this can be
  done fairly easily.  You can even install into an isolated target
  directory and make appropriate [temporary] symlinks until 3.4 is
  properly imported, at which point you can remove the symlinks and use
  the imported version, if you so desire.

  Again, I understand that resources were probably allotted to dealing
  with this problem and that some of them may have been avoidable.  But
  things are the way they are and a solution _has_ been provided now, so
  continued complaints will not help the situation anymore, at all.
  Discussing the what, how, and where at this point is redundant. 

  Thank you all in advance for your cooperation and thank you to the
  OpenSSH team for 3.4, despite all differences in opinion regarding the
  way in which it came about.

  <Spock style salutation, for extra Geekiness>

Best regards,
-- 
Bosko Milekic
bmilekic@unixdaemons.com
bmilekic@FreeBSD.org

P.S.: If anyone cares to keep the discussion going for some reason,
let's move it to -chat. No need to start any additional threads on
-security. Thanks!


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020626153858.A43920>