LINUX.IE, website of the Irish Linux Users' Group
Tux rules!

   
Home
New Users
Articles
Download
Projects
Community
Vendors

  Print Version
Email to...
 
Archives:


planetILUG

Recent News

News Archive


Join the
ILUG
on FaceBook


Join the
ILUG
on LinkedIn


Join the
ILUG SETI
Group



















 
 :: Mailing Lists

[ILUG] openssh vulnerability

[ILUG] openssh vulnerability

Paul Kelly longword at esatclear.ie
Tue Jun 25 21:30:34 IST 2002 

Colm MacCarthaigh wrote:
> The patch exists no doubt, and it isnt being distributed exactly because
> it would reveal the nature of the bug.

Most assuredly so. And mere mortals like us MUST NOT get access to this 
patch yet. However the major vendors SHOULD get it ASAP so that they can 
be prepared for timely releases of updated packages when Full Disclosure 
happens.

> to make PrivSep work fully on their platform ? If Theo is waiting on
> this before the release of the fix ...  it would indicate that using
> Privelege Seperation is an implimentation neccessity of the fix. This
> makes no sense.

All indications are to the contrary - PrivSep doesn't fix this bug in 
any way, it's just supposed to lessen the severity to near nothing. 
PrivSep is not and could not be involved in the fix for this bug. The 
two are separate and distinct, aside from Theo using one as a stick to 
beat the other.

> Nowhere does the document suggest that privelege seperation is a
> neccessity of the solution

The document suggests that those who don't implement PrivSep right now 
will be exposed to the bug for however many days after Full Disclosure 
it takes for their vendor to evaluate the alert, integrate the patch 
into their OpenSSH packages - possibly backporting it to older versions 
of OpenSSH to support some of their older distributions, test it on all 
of their supported platforms, and release the packages. Unless of course 
the user wants to go hand-compiling it. Thanks to the variety of PAM and 
non-PAM Linux distributions out there, this option is non-trivial for 
most users.

Paul.

More information about the ILUG mailing list
Read this without the formatting.
                                                                                                    

  

Hosted by HEAnet


 Maintained by the ILUG website team. The aim of Linux.ie is to support and help commercial and private users of Linux in Ireland. You can display ILUG news in your own webpages, read backend information to find out how. Networking services kindly provided by HEAnet, server kindly donated by Dell. Linux is a trademark of Linus Torvalds, used with permission. No penguins were harmed in the production or maintenance of this highly praised website. Looking for the Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
RSS Version
Powered by Dell