On Tue, Jun 25, 2002 at 02:22:09AM +0100, Paul Kelly wrote:
> Dave Burke wrote:
> > http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=102495293705094&w=2> Maybe I'm reading it wrong, but to me that message reads like 'We don't
> care to fix this bug right now, go use PrivSep even though it doesn't
> work quite right yet'. And Theo wonders why people don't get on well
> with him...
another interpretation is this:
if the openssh team releases a patch today, the crackers will know the
vulnerability immediately. if the openssh team releases privsep across
the ports (which appears to also stop the attack), then the crackers
are no wiser.
the "vulnerability clock" starts ticking the moment a patch comes out
that directly addresses the problem. privsep will protect systems,
but not directly give away the vulnerability.
kevin
--
kevin at suberic.net that a believer is happier than a skeptic is no more to
fork()'ed on 37058400 the point than the fact that a drunken man is happier
meatspace place: inle than a sober one. the happiness of credulity is a
http://suberic.net/~kevin cheap & dangerous quality -- g.b. shaw
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
