LINUX.IE, website of the Irish Linux Users' Group
Tux rules!

   
Home
New Users
Articles
Download
Projects
Community
Vendors

  Print Version
Email to...
 
Archives:


planetILUG

Recent News

News Archive


Join the
ILUG
on FaceBook


Join the
ILUG
on LinkedIn


Join the
ILUG SETI
Group



















 
 :: Mailing Lists

[ILUG] openssh vulnerability

[ILUG] openssh vulnerability

Paul Kelly longword at esatclear.ie
Tue Jun 25 10:36:19 IST 2002 

Anders Holm wrote:
> at this point I'm now including the author of the SecurityFocus.com
> announcement, so if he feels like it may have the freedom to defend himself.
> I am doing this because I do not believe in "battering" people behind their
> backs.

As I expected, it's being covered quite well outside our little patch of 
the Internet. The slashdot comments are pretty much in line with what 
we've been saying here.

>  You apparently like OpenSSH, but don't like them to tell you
> that there may a problem with it. I disagree the strongest to this
> behaviour, that is why, and it is my freedom to say so as well.

Nope. I'm happy that they say there's a vulnerability out there. I'm 
happy that they suggest in advance that PrivSep is a good workaround for it.

I'm not happy that they may release details of the vulnerability before 
a patch has been released. Now this is just a 'may' but there has been 
no mention of a patch to fix it yet. I understand that the clock is 
ticking, but it profits noone to discuss the problem openly before it is 
fixed.

The well established path for a vulnerability report is to fix the thing 
first, maybe mention that a problem exists, and distribute this full fix 
to the major vendors so that they have plenty of time to have fresh 
binary packages available at the appointed hour for the publication of 
the vulnerability.

PrivSep is NOT yet an acceptable solution by any stretch of the 
imagination. The Mandrake people have already found bugs in its 
interaction with PAM. For all we know it may expose us to further 
vulnerabilities on par with those in the commercial SSH 3.0 release 
(allowed anyone to ssh in to disabled accounts without a password). This 
code is out a WEEK! I for one wouldn't even consider running it on a 
production machine.

Paul.

More information about the ILUG mailing list
Read this without the formatting.
                                                                                                    

  

Hosted by HEAnet


 Maintained by the ILUG website team. The aim of Linux.ie is to support and help commercial and private users of Linux in Ireland. You can display ILUG news in your own webpages, read backend information to find out how. Networking services kindly provided by HEAnet, server kindly donated by Dell. Linux is a trademark of Linus Torvalds, used with permission. No penguins were harmed in the production or maintenance of this highly praised website. Looking for the Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
RSS Version
Powered by Dell