On Tue, Jun 25, 2002 at 09:30:32PM +0100, Paul Kelly wrote:
> Colm MacCarthaigh wrote:
> > The patch exists no doubt, and it isnt being distributed exactly because
> > it would reveal the nature of the bug.
>> Most assuredly so. And mere mortals like us MUST NOT get access to this
> patch yet. However the major vendors SHOULD get it ASAP so that they can
> be prepared for timely releases of updated packages when Full Disclosure
> happens.
I havnt made my mind up about this one yet. I'm inclined to agree, that
yes, major vendors should be notified of precise details and given the
opportunity to roll updates, but I'm going to wait until next week, when
I know those details to decide as to whether this (in)action was prudent
or not. I would prefer if the power of argument was used to encourage
vendors to migrate to PrivSep, rather than this approach, it is after
all a very good idea.
If the problem is indicitive of an entirely new type of attack vector,
which may have been previously unconsidered, then I don't mind PrivSep
being given this kind of priority by the OpenSSH group as much.
Part of me seriously doubts the foresight of some major vendors to
implement this (complex change) as a matter of priority rather than
apply the patch, test and roll, and then forget about it. Not that
this is a justification of the action, but I can see where they might
be coming from.
But aside from that unlikely circumstance, as I stated; it's more than
likely just an opportunistic policy decision.
> > to make PrivSep work fully on their platform ? If Theo is waiting on
> > this before the release of the fix ... it would indicate that using
> > Privelege Seperation is an implimentation neccessity of the fix. This
> > makes no sense.
>> All indications are to the contrary - PrivSep doesn't fix this bug in
> any way, it's just supposed to lessen the severity to near nothing.
> PrivSep is not and could not be involved in the fix for this bug. The
> two are separate and distinct, aside from Theo using one as a stick to
> beat the other.
exactly my point, which is why I think some people are overly concerned
(until we know a little more detail) about how difficult it is to roll
out PrivSep on their 2.2 boxes .. etc. Use a different alternative
for a few days, as if PrivSep didnt exist.
> > Nowhere does the document suggest that privelege seperation is a
> > neccessity of the solution
>> The document suggests that those who don't implement PrivSep right now
> will be exposed to the bug for however many days after Full Disclosure
> it takes for their vendor to evaluate the alert, integrate the patch
> into their OpenSSH packages - possibly backporting it to older versions
> of OpenSSH to support some of their older distributions, test it on all
> of their supported platforms, and release the packages. Unless of course
> the user wants to go hand-compiling it. Thanks to the variety of PAM and
> non-PAM Linux distributions out there, this option is non-trivial for
> most users.
I agree with that interpretation, certainly. But it remains that major
vendors are in a position to provide a solution to the problems by
friday.
--
colmmacc at redbrick.dcu.ie PubKey: colmmacc+pgp at redbrick.dcu.ie
Web: http://devnull.redbrick.dcu.ie/
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
