* * * * *

 “The Sky is Falling! Get to a bomb shelter! Although, an umbrella would work
                               just as well … ”

> **To:** [a whole lot of lists]
>  **Subject:** Upcoming OpenSSH vulnerability
>  **Date:** Mon, 24 Jun 2002 15:00:10 -0600
>  **From:** Theo de Raadt <XXXXXXXXXXXXXXXXXXXXXXX>
>
> There is an upcoming OpenSSH vulnerability that we're working on with ISS.
> Details will be published early next week.
>

Upcoming OpenSSH vulnerability [1]

Well, nice to know that “early next week” means “today [2].” Also nice to
know that the couple of hours I yesterday [3] could have been fixed with a
simple one line configuration change. [4]

I'm of mixed minds about how this was handled. I do think Theo overplayed his
hand in attempting to force one particular way of fixing the problem with
priviledge serparation (which is probably a good idea if the operating system
in question supports it) but given that an exploit in OpenSSH [5] could cause
massive damage, how else can you solve the problem such that the damage is
minimized?

Hard questions, and that's why I'm of mixed minds (I would have preferred
knowing about the one line configuration change but would have that given the
Black Hats enough of a clue to write an exploit?)

[1] http://www.linuxweeklynews.com/Articles/3322/
[2] http://www.openssh.org/txt/iss.adv
[3] gopher://gopher.conman.org/0Phlog:2002/06/25.1
[4] http://www.openssh.org/txt/iss.adv
[5] http://www.openssh.org/

Email author at [email protected]

You are viewing proxied material from gopher.conman.org. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.