LINUX.IE, website of the Irish Linux Users' Group
Tux rules!

   
Home
New Users
Articles
Download
Projects
Community
Vendors

  Print Version
Email to...
 
Archives:


planetILUG

Recent News

News Archive


Join the
ILUG
on FaceBook


Join the
ILUG
on LinkedIn


Join the
ILUG SETI
Group



















 
 :: Mailing Lists

[ILUG] openssh vulnerability

[ILUG] openssh vulnerability

Vincent Cunniffe vincent at cunniffe.net
Tue Jun 25 14:28:26 IST 2002 

Quoting Anders Holm <anders.holm at elivefree.net>:

> [snip]
> >
> > It's not a work-around if you're running 2.2 kernels, as many people
> > still are. I'm running a pair of heavily modded RH 6.2 machines, with
> > upgraded kernels and all public services upgraded to latest.
> 
> Apparently John Madden was successful in this. Maybe one would ask him how
> he did this? Might even be worth the effort, who knows?

I've already tried : mmap fails with errors on the boxes.

When I switch off privsep in the config, it works.
 
> > Suddenly I'm being told that I have to re-install both servers because
> > of Theo de Raadt? Screw that. It's extremely irrespondible to insist on
> > a pet solution that screws things up permanently for a large number of
> > people.
> 
> No one said you'd have to re-install, did they, or did I miss something
> along the way? That's your choice, you're the admin. No one insisted on it,
> but rather gave a recommendation for a work around. And please, enlighten

If the only fix being offered will not work on 2.2 kernels, then it will
require a 2.4 kernel. And if I have to switch production boxen to 2.4, it
will be via a reinstall, not a slightly dodgy OS upgrade.

> me how it would screw things up for you. How exactly have you then "modded"
> your _old_ RH 6.2 boxes? Maybe that is where your _real_ problem lies??
> Maybe someone here would have a fix for your particular problem. After all,
> isn't that why this list exists?

I've upgraded the kernel to 2.2.19, and upgraded every service, that's all.

No magic.

> And for being irresponsible in giving a recommendation, wouldn't you rather
> know about it than be "in the dark"?? To me, hearing this type of argument
> from a sysadmin makes me wonder a bit. Are you not rather happier knowing
> that there may be a problem, rather than having to find it out the hard
> way? Isn't it beneficial in some way at all to know that your systems _may_ 
> get compromised by this vulnerability?

No : they should not have decided on this method of fixing the problem and
then publically announced it. It's irresponsible. Your argument rests on 
the fait accompli that they've already announced it.
 
Vin

More information about the ILUG mailing list
Read this without the formatting.
                                                                                                    

  

Hosted by HEAnet


 Maintained by the ILUG website team. The aim of Linux.ie is to support and help commercial and private users of Linux in Ireland. You can display ILUG news in your own webpages, read backend information to find out how. Networking services kindly provided by HEAnet, server kindly donated by Dell. Linux is a trademark of Linus Torvalds, used with permission. No penguins were harmed in the production or maintenance of this highly praised website. Looking for the Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
RSS Version
Powered by Dell