Anders Holm wrote:
> What I can get out of this is that Theo and Co. actually has _tried_
> resolving this _with_ vendors, but that they are not responding properly to
> this vulnerability and apparently does not seem to care to help out.
That's not what I read from it - to me it seems he has informed the
vendors that some nondescript vulnerability exists, and that his best
solution at this time is not to fix the vulnerability but to change how
OpenSSH is used and implemented on each and every platform, using a
mechanism that has barely been used at all in the field. If I was a
vendor right now, I'd be thinking long and hard about forking OpenSSH
and requesting direct notification of vulnerabilities for the new package.
> Theo also states that PrivSep IS NOT A FIX but at least a workaround UNTIL a
> patch can be distributed. So, he is giving people a way of closing a flaw
> until it can be fixed. Since when is that bad? Sure, not ideal, but is it
> _so_ horrible?
What's _so_ horrible is threatening the vendors (and users) that if they
don't use OpenSSH a certain way, using a completely new code path, their
customers will be put at risk. He has stated that details of the
vulnerability will be released next week, but made no mention of a patch
to secure this vulnerability before those details are released.
> flaming someone who not even has been copied on your flames, and probably
> knows nothing of it. Would you like to be treated the same way?
Theo knows exactly what he's doing, and I'd be surprised if he's not
getting enough flames as-is without us adding to his troubles.
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!