Date: Tue, 25 Jun 2002 17:15:16 +1000 From: Lachlan O'Dea <odela01@ca.com> To: Theo de Raadt <deraadt@cvs.openbsd.org> Cc: FreeBSD Security <security@FreeBSD.ORG> Subject: Re: [openssh-unix-announce] Re: Upcoming OpenSSH vulnerability (fwd) Message-ID: <3D181884.2040200@ca.com> References: <200206250156.g5P1upLJ029822@cvs.openbsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Theo de Raadt wrote: > Jason Stone wrote: > >>Release now and let the community help you fix the bug (since >>apparently it's so complicated that you can't fix it right away on your >>own...). > > > It took about 3 minutes for the first rev. So you are saying that you already have a patch that fixes the vulnerability? If so, it seems to me that delaying the release does more harm than good. There is one disadvantage to publicly releasing either the patch or the details of the vulnerability now: the black hats could use the information to develop an exploit before people have a chance to protect themselves. However, there are a number of advantages to releasing all the information now: 1) Many OpenSSH users (perhaps the majority) are not in a position to upgrade to version 3.3. The UsePrivilegeSeparation feature is not available to them. 2) For users, installing a patched version of their vendor's current OpenSSH version is the most straightforward solution. Certainly quicker and less painful than trying to jump to 3.3. 3) It is far easier for vendors to patch the version of OpenSSH they currently ship than it is to rush out an upgrade to version 3.3 (at least I think that is the case, I can't be sure since I don't know anything about the vulnerability). As you noted in your announcement, version 3.3 has problems on some platforms. It also sounds like vendors must perform non-trivial work to get UsePrivilegeSeparation to work. From what you said above, it sounds like the fix for the vulnerability is fairly simple. Perhaps the FreeBSD security team could have already committed the fix if they knew what it was. 4) In your announcement, you did not indicate which versions of OpenSSH are vulnerable. You seem to be saying that we should assume they are all vulnerable. People may spend significant effort upgrading to version 3.3 and losing the features that don't work on their platorm, only to later discover that they weren't vulnerable in the first place. 5) Everyone's situation is different. Individual administrators may be able to protect their own systems through other means (perhaps quicker and easier) than upgrading to version 3.3. However, without any information about the vulnerability, they are helpless. In my opinion, the advantages of immediate disclosure outweigh the disadvantages. You have a different opinion, and yours is the one that counts in this case. We are all entitled to our opinion, right? If the fix is a relatively simple one, as I think you are indicating, it seems that vendors could patch their shipping versions of OpenSSH faster than an exploit could be developed. As things stand now, we have a whole bunch of people unable to move to 3.3 who are in the dark and very worried. > Apparently you have a comprehension difficulty. I urge you to go back > and re-read what I posted to lots of lists. Perhaps some other people > can help you. Apparently I share Jason's comprehension difficulty. Please note that I'm not complaining about a poor response from the OpenSSH developers or anything like that. You all do great work. I'm just saying that, in my opinion, you would do much more good than harm if you released everything you know about this vulnerability now. -- Lachlan O'Dea <lodea@vet.com.au> Computer Associates Pty Ltd Webmaster Vet - Anti-Virus Software http://www.vet.com.au/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3D181884.2040200>