LINUX.IE, website of the Irish Linux Users' Group
Tux rules!

   
Home
New Users
Articles
Download
Projects
Community
Vendors

  Print Version
Email to...
 
Archives:


planetILUG

Recent News

News Archive


Join the
ILUG
on FaceBook


Join the
ILUG
on LinkedIn


Join the
ILUG SETI
Group



















 
 :: Mailing Lists

[ILUG] openssh vulnerability

[ILUG] openssh vulnerability

Paul Kelly longword at esatclear.ie
Tue Jun 25 07:48:17 IST 2002 

Anders Holm wrote:
> What I can get out of this is that Theo and Co. actually has _tried_
> resolving this _with_ vendors, but that they are not responding properly to
> this vulnerability and apparently does not seem to care to help out.

That's not what I read from it - to me it seems he has informed the 
vendors that some nondescript vulnerability exists, and that his best 
solution at this time is not to fix the vulnerability but to change how 
OpenSSH is used and implemented on each and every platform, using a 
mechanism that has barely been used at all in the field. If I was a 
vendor right now, I'd be thinking long and hard about forking OpenSSH 
and requesting direct notification of vulnerabilities for the new package.

> Theo also states that PrivSep IS NOT A FIX but at least a workaround UNTIL a
> patch can be distributed. So, he is giving people a way of closing a flaw
> until it can be fixed. Since when is that bad? Sure, not ideal, but is it
> _so_ horrible?

What's _so_ horrible is threatening the vendors (and users) that if they 
don't use OpenSSH a certain way, using a completely new code path, their 
customers will be put at risk. He has stated that details of the 
vulnerability will be released next week, but made no mention of a patch 
to secure this vulnerability before those details are released.

> flaming someone who not even has been copied on your flames, and probably
> knows nothing of it. Would you like to be treated the same way?

Theo knows exactly what he's doing, and I'd be surprised if he's not 
getting enough flames as-is without us adding to his troubles.

Paul.

More information about the ILUG mailing list
Read this without the formatting.
                                                                                                    

  

Hosted by HEAnet


 Maintained by the ILUG website team. The aim of Linux.ie is to support and help commercial and private users of Linux in Ireland. You can display ILUG news in your own webpages, read backend information to find out how. Networking services kindly provided by HEAnet, server kindly donated by Dell. Linux is a trademark of Linus Torvalds, used with permission. No penguins were harmed in the production or maintenance of this highly praised website. Looking for the Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
RSS Version
Powered by Dell