Colm MacCarthaigh wrote:
> The patch exists no doubt, and it isnt being distributed exactly because
> it would reveal the nature of the bug.
Most assuredly so. And mere mortals like us MUST NOT get access to this
patch yet. However the major vendors SHOULD get it ASAP so that they can
be prepared for timely releases of updated packages when Full Disclosure
> to make PrivSep work fully on their platform ? If Theo is waiting on
> this before the release of the fix ... it would indicate that using
> Privelege Seperation is an implimentation neccessity of the fix. This
> makes no sense.
All indications are to the contrary - PrivSep doesn't fix this bug in
any way, it's just supposed to lessen the severity to near nothing.
PrivSep is not and could not be involved in the fix for this bug. The
two are separate and distinct, aside from Theo using one as a stick to
beat the other.
> Nowhere does the document suggest that privelege seperation is a
> neccessity of the solution
The document suggests that those who don't implement PrivSep right now
will be exposed to the bug for however many days after Full Disclosure
it takes for their vendor to evaluate the alert, integrate the patch
into their OpenSSH packages - possibly backporting it to older versions
of OpenSSH to support some of their older distributions, test it on all
of their supported platforms, and release the packages. Unless of course
the user wants to go hand-compiling it. Thanks to the variety of PAM and
non-PAM Linux distributions out there, this option is non-trivial for
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!