LINUX.IE, website of the Irish Linux Users' Group
Tux rules!

   
Home
New Users
Articles
Download
Projects
Community
Vendors

  Print Version
Email to...
 
Archives:


planetILUG

Recent News

News Archive


Join the
ILUG
on FaceBook


Join the
ILUG
on LinkedIn


Join the
ILUG SETI
Group



















 
 :: Mailing Lists

[ILUG] openssh vulnerability

[ILUG] openssh vulnerability

Colm MacCárthaigh colmmacc at redbrick.dcu.ie
Tue Jun 25 19:30:26 IST 2002 

On Tue, Jun 25, 2002 at 06:07:43PM +0100, Paul Kelly wrote:
> The annoying thing is Theo says he fixed the bug "in 3 minutes". So the 
> patch exists right now. It's not complex. It's not tied to a particular 
> OS. But still, at the hour of the announce, the only distribution with 
> binary updates will be OpenBSD.

The patch exists no doubt, and it isnt being distributed exactly because
it would reveal the nature of the bug. Wether that's prudent or not,
we'll no next week. As to OpenBSD, we still don't know if it's even
exploitable on OpenBSD.

> On other platforms I would be VERY cautious about moving to PrivSec at 
> this point, especially since there's at least one claim of a root 
> exploit in the new OpenSSH 3.3.1p code. Now I don't know if that bloke's 
> taking the piss or not, but I know I'd rather not risk it. There are 
> enough minor Known Bugs in PrivSec that there's good reason to suspect 
> at least one doozie is hiding in there.

The curious thing is that is the move to PrivSep is not neccessary.
 From reading the notice, it says that the problem isnt exploitable 
(though is possibly present) while using PrivSep, and that's great, 
I can see it being a good argument for using Privilege Seperation 
as an interim solution until the fix is available. I'll buy that,
no problem.

But how does this extend into the impending urgency in getting vendors
to make PrivSep work fully on their platform ? If Theo is waiting on
this before the release of the fix ... it would indicate that using
Privelege Seperation is an implimentation neccessity of the fix. This
makes no sense.

The problem should be fixable regardless and it should fix it regardless
of wether you have privilege seperation on or off. Otherwise it isnt
a solution. But as we know already , the patch is available, and it
really does seem, as others here have suggested that it's a case of using
this opportunity to implement a policy decision. Seems to be case of

"I told you privelege seperation would be a good idea, look, this
 wouldnt have been a problem if you had used it like I told you to.
 That's it, I'm telling your Ma".

Nowhere does the document suggest that privelege seperation is a
neccessity of the solution, just that it's a very good idea, and if
your vendor had it working for you, this wouldnt even be a problem.

-- 
colmmacc at redbrick.dcu.ie        PubKey: colmmacc+pgp at redbrick.dcu.ie  
Web:                                 http://devnull.redbrick.dcu.ie/

More information about the ILUG mailing list
Read this without the formatting.
                                                                                                    

  

Hosted by HEAnet


 Maintained by the ILUG website team. The aim of Linux.ie is to support and help commercial and private users of Linux in Ireland. You can display ILUG news in your own webpages, read backend information to find out how. Networking services kindly provided by HEAnet, server kindly donated by Dell. Linux is a trademark of Linus Torvalds, used with permission. No penguins were harmed in the production or maintenance of this highly praised website. Looking for the Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
RSS Version
Powered by Dell