LINUX.IE, website of the Irish Linux Users' Group
Tux rules!

   
Home
New Users
Articles
Download
Projects
Community
Vendors

  Print Version
Email to...
 
Archives:


planetILUG

Recent News

News Archive


Join the
ILUG
on FaceBook


Join the
ILUG
on LinkedIn


Join the
ILUG SETI
Group



















 
 :: Mailing Lists

[ILUG] openssh vulnerability

[ILUG] openssh vulnerability

Paul Kelly longword at esatclear.ie
Tue Jun 25 11:51:33 IST 2002 

Anders Holm wrote:
> Still... Slashdot is more widely known to the world then ILUG is, no offence
> to anyone. So realistically they wouldn't have had much of a chance to
> respond unless already on the list, would they?

Would probably have been better to send him a one-line message with a 
link to the thread http://www.linux.ie/pipermail/ilug/2002-June/047444.html

Busy man our Theo.

> Which they still haven't. Apparently the patch would need some assistance
> from different vendors in order to get it working satisfactorily.

What they're asking for assistance with is the perfection and widespread 
deployment of PrivSec, not with fixing this particular bug. Theo is 
using this bug to further his own ends - ends which may be a good idea, 
but I hate to see bugs being used as leverage for ulterior motives. 
Smacks of ISS's treatment of the recent Apache vulnerability and it 
feels like they'll be making almost the same mistake over again next 
week when details of the vulnerability are released.

Have a read of the Debian announcement on the subject. They seem nearly 
as unhappy with the situation as I am. They're a good bit more 
diplomatic of course. They don't seem to have been provided with, nor 
consulted on the distribution of a patched OpenSSH to combat the bug. 
Apparently (unsubstantiated slashdot rumour that sounds plausible) 
PrivSec can't work properly yet on 2.2 kernels so Debian can't even 
release that for their stable distribution. On a timescale of a few days 
I think it's unreasonable to expect PrivSec to work perfectly (read 
trustworthy) on a 2.2 Linux kernel, or on a PAM-based distribution.

> What would you have said if you would have been compromised
> due to this vulnerability and they had known it existed?

I have NO problem at all with them saying it's vulnerable, nor that 
PrivSec is a possible source of protection. I'm delighted that I have 
the opportunity to shut down sshd or firewall it off a bit more. I just 
need to know that when details are released, I'll have updated packages 
the same day for my favourite major distribution. Without forcing me to 
use beta quality code in so vital a tool.

> And by _not_ running [PrivSec]
> currently on a production machine, what problems do you keep open for
> exploitation?

I see little or no difference in risk between the unknown of PrivSec and 
the unknown of a bug for which no exploit has ever been seen.

Paul.

More information about the ILUG mailing list
Read this without the formatting.
                                                                                                    

  

Hosted by HEAnet


 Maintained by the ILUG website team. The aim of Linux.ie is to support and help commercial and private users of Linux in Ireland. You can display ILUG news in your own webpages, read backend information to find out how. Networking services kindly provided by HEAnet, server kindly donated by Dell. Linux is a trademark of Linus Torvalds, used with permission. No penguins were harmed in the production or maintenance of this highly praised website. Looking for the Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
RSS Version
Powered by Dell