Anders Holm wrote:
> Still... Slashdot is more widely known to the world then ILUG is, no offence
> to anyone. So realistically they wouldn't have had much of a chance to
> respond unless already on the list, would they?
Would probably have been better to send him a one-line message with a
link to the thread http://www.linux.ie/pipermail/ilug/2002-June/047444.html
Busy man our Theo.
> Which they still haven't. Apparently the patch would need some assistance
> from different vendors in order to get it working satisfactorily.
What they're asking for assistance with is the perfection and widespread
deployment of PrivSec, not with fixing this particular bug. Theo is
using this bug to further his own ends - ends which may be a good idea,
but I hate to see bugs being used as leverage for ulterior motives.
Smacks of ISS's treatment of the recent Apache vulnerability and it
feels like they'll be making almost the same mistake over again next
week when details of the vulnerability are released.
Have a read of the Debian announcement on the subject. They seem nearly
as unhappy with the situation as I am. They're a good bit more
diplomatic of course. They don't seem to have been provided with, nor
consulted on the distribution of a patched OpenSSH to combat the bug.
Apparently (unsubstantiated slashdot rumour that sounds plausible)
PrivSec can't work properly yet on 2.2 kernels so Debian can't even
release that for their stable distribution. On a timescale of a few days
I think it's unreasonable to expect PrivSec to work perfectly (read
trustworthy) on a 2.2 Linux kernel, or on a PAM-based distribution.
> What would you have said if you would have been compromised
> due to this vulnerability and they had known it existed?
I have NO problem at all with them saying it's vulnerable, nor that
PrivSec is a possible source of protection. I'm delighted that I have
the opportunity to shut down sshd or firewall it off a bit more. I just
need to know that when details are released, I'll have updated packages
the same day for my favourite major distribution. Without forcing me to
use beta quality code in so vital a tool.
> And by _not_ running [PrivSec]
> currently on a production machine, what problems do you keep open for
I see little or no difference in risk between the unknown of PrivSec and
the unknown of a bug for which no exploit has ever been seen.
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!