Anders Holm wrote:
> at this point I'm now including the author of the SecurityFocus.com
> announcement, so if he feels like it may have the freedom to defend himself.
> I am doing this because I do not believe in "battering" people behind their
As I expected, it's being covered quite well outside our little patch of
the Internet. The slashdot comments are pretty much in line with what
we've been saying here.
> You apparently like OpenSSH, but don't like them to tell you
> that there may a problem with it. I disagree the strongest to this
> behaviour, that is why, and it is my freedom to say so as well.
Nope. I'm happy that they say there's a vulnerability out there. I'm
happy that they suggest in advance that PrivSep is a good workaround for it.
I'm not happy that they may release details of the vulnerability before
a patch has been released. Now this is just a 'may' but there has been
no mention of a patch to fix it yet. I understand that the clock is
ticking, but it profits noone to discuss the problem openly before it is
The well established path for a vulnerability report is to fix the thing
first, maybe mention that a problem exists, and distribute this full fix
to the major vendors so that they have plenty of time to have fresh
binary packages available at the appointed hour for the publication of
PrivSep is NOT yet an acceptable solution by any stretch of the
imagination. The Mandrake people have already found bugs in its
interaction with PAM. For all we know it may expose us to further
vulnerabilities on par with those in the commercial SSH 3.0 release
(allowed anyone to ssh in to disabled accounts without a password). This
code is out a WEEK! I for one wouldn't even consider running it on a
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!