Aidan Kehoe wrote:
> Once details of the bug are released to bugtraq, attempts to exploit
> the bug will increase exponentially. Advising that a bug exists and
> enabling privsep will prevent an exploit is the responsible thing to
> do, if no specific fix is available.
The annoying thing is Theo says he fixed the bug "in 3 minutes". So the
patch exists right now. It's not complex. It's not tied to a particular
OS. But still, at the hour of the announce, the only distribution with
binary updates will be OpenBSD.
On other platforms I would be VERY cautious about moving to PrivSec at
this point, especially since there's at least one claim of a root
exploit in the new OpenSSH 3.3.1p code. Now I don't know if that bloke's
taking the piss or not, but I know I'd rather not risk it. There are
enough minor Known Bugs in PrivSec that there's good reason to suspect
at least one doozie is hiding in there.
> > he has an agenda of wanting people to move to privsep, and is using
> > this upcoming bug fix to force people to move to it. it seems.
> Do you think he gives a shit[1] whether the wider world moves to
> privsep or not?
Theo works in weird and wonderful ways. Chalk that one up to weird
rather than wonderful. Weird that he cares rather than weird that he
wants it done - everyone agrees it's a good idea, but IMHO it's not
ready for prime time.
Paul.
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
