Date: Thu, 27 Jun 2002 13:36:59 +0930 From: Wincent Colaiuta <wincentcolaiuta@mac.com> To: Theo de Raadt <deraadt@cvs.openbsd.org>, freebsd-security@freebsd.org Subject: Re: Wow (or, How Theo should have handled it) Message-ID: <53E21546-8983-11D6-BE6B-003065C60B4C@mac.com> In-Reply-To: <200206261919.g5QJJLLI018466@cvs.openbsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
El Thursday, 27 June, 2002, a las 04:49 AM, Theo de Raadt escribi=F3: >> * Theo de Raadt (deraadt@cvs.openbsd.org) [020626 12:02]: >>> We also did 5600 lines of further security auditing work over the = last >>> week. We're fairly convinced that some of the things we changed are >>> relevant as well. ie. more holes. >>> >>> And that is commited in 3.4 >> >> Theo, >> >> When will we see an advisory and/or patches for older versions=20 >> regarding >> the other holes that you have uncovered? > > You won't. > > I've barely slept in a week. > > So many of you are being totally unreasonable people. Great. That's just what I want... a rushed 3.4 release which contains=20 5600 lines of code "audited" by a team of sleep-deprived zombies.=20 (joking... I do appreciate your efforts, Theo). Seriously, Theo, the best thing you could've done would have been to=20 fully disclose the original bug in the challenge/response code and the=20= one-line fix (turn off challenge/response auth), and told people two=20 things: firstly, that patches were being worked on; and secondly, that=20= 3.4 was on the way soon and that it would be desirable to upgrade to=20 that and activate priv separation so as to better cope with future=20 potential holes. Unfortunately, the way you DID handle it created a furore and upset an=20= awful lot of people who spent hours and hours undergoing a rushed and=20 complicated upgrade procedure on dozens or even hundreds of boxes, when=20= they probably would've preferred to apply the one-line workaround and=20 upgrade to 3.4 in a more reasonable time-frame (ie. an orderly, planned=20= upgrade; not an rushed, emergency one). To make matters worse many of=20 these people were using a version of OpenSSH that did not contain the=20 vulnerability (remember, this is a FreeBSD list here). Thanks once again for your work, Theo. I just wish things had gone a=20 little bit more smoothly! Regards Wincent To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?53E21546-8983-11D6-BE6B-003065C60B4C>