RE: [ILUG] openssh vulnerability

From: Anders Holm (anders.holm at domain elivefree.net)
Date: Tue 25 Jun 2002 - 08:18:13 IST

• Next message: Declan Grady: "[ILUG] Package dependencies"
• Previous message: Paul Kelly: "Re: [ILUG] openssh vulnerability"
• In reply to: Paul Kelly: "Re: [ILUG] openssh vulnerability"
• Next in thread: Paul Kelly: "Re: [ILUG] openssh vulnerability"
• Reply: Paul Kelly: "Re: [ILUG] openssh vulnerability"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
• Mail actions: [ respond to this message ] [ mail a new topic ]

All,

at this point I'm now including the author of the SecurityFocus.com
announcement, so if he feels like it may have the freedom to defend himself.
I am doing this because I do not believe in "battering" people behind their
backs. If I think someone is behaving badly, I'd at least _try_ to tell that
person so. We all want to believe that this community should give us
freedom. Freedom to software, as well as speech. Former is done here without
the latter. You apparently like OpenSSH, but don't like them to tell you
that there may a problem with it. I disagree the strongest to this
behaviour, that is why, and it is my freedom to say so as well.

Though I do think that this thread should die a quick death, since this is
not what the ILUG is intended for, as for what I think anyway. Flame wars is
what I mean, of course.

> -----Original Message-----
> From: ilug-admin at domain linux.ie [mailto:ilug-admin at domain linux.ie]On Behalf Of Paul
> Kelly
> Sent: 25 June 2002 07:48
> To: ilug at domain linux.ie
> Subject: Re: [ILUG] openssh vulnerability
>
>
> Anders Holm wrote:
> > What I can get out of this is that Theo and Co. actually has _tried_
> > resolving this _with_ vendors, but that they are not responding
> properly to
> > this vulnerability and apparently does not seem to care to help out.
>
> That's not what I read from it - to me it seems he has informed the
> vendors that some nondescript vulnerability exists, and that his best
> solution at this time is not to fix the vulnerability but to change how
> OpenSSH is used and implemented on each and every platform, using a
> mechanism that has barely been used at all in the field. If I was a
> vendor right now, I'd be thinking long and hard about forking OpenSSH
> and requesting direct notification of vulnerabilities for the new package.

If I was a vendor who had received a request to try and help fixing the
problem, I would have at least tried before it had to go public. Apparently
only one vendor did so. If the ONLY KNOWN way to workaround this
vulnerability, do you really then consider it a fault on Theo's side to let
people know about it? He does not REQUIRE you to do so. But I'd say that if
it is currently the only way to close this until a patch has been released,
why not? With security comes certain pains. This would include of course
that certain software packages one relies on, especially the likes of
OpenSSH, would have the posibility of having a security hole in it. The
whole point of OpenSSH is to have a more secure way to access your system,
right? So, even with this flaw, compare it to other login services and let
me know what you find, ok?

> > Theo also states that PrivSep IS NOT A FIX but at least a
> workaround UNTIL a
> > patch can be distributed. So, he is giving people a way of
> closing a flaw
> > until it can be fixed. Since when is that bad? Sure, not ideal,
> but is it
> > _so_ horrible?
>
> What's _so_ horrible is threatening the vendors (and users) that if they
> don't use OpenSSH a certain way, using a completely new code path, their
> customers will be put at risk. He has stated that details of the
> vulnerability will be released next week, but made no mention of a patch
> to secure this vulnerability before those details are released.

Eh? WHERE did he threaten anyone? If I'd consider it a threat anytime I'd
had a warning of "troubles ahead" I'd bought a gun years ago.

No, no mention as you say of a release date for a patch, and no "release
date" either for the details. Just "early next week". And if there is no
patch at that time, your looking to see code to exploit the vulnerability?
Tell me, since you have apparently read his ataments very thoughroughly,
what type of vulnerability is this? Buffer over flow, or something else? Or,
since this is in the puiblic code, maybe you could then outline the lines of
code which are the culprit? Then possibly someone on the list here could
assist in a creative manner and hopefully create a patch.

> > flaming someone who not even has been copied on your flames,
> and probably
> > knows nothing of it. Would you like to be treated the same way?
>
> Theo knows exactly what he's doing, and I'd be surprised if he's not
> getting enough flames as-is without us adding to his troubles.

Well, he _should_ anyway. At least I find his statements thought through,
which is more than one can say about most people with access to a mail
client. And as you say, he's probably getting tons of flames, but I still
believe that if I feel that someone is doing something wrong, I'd let him
know, not everyone else _but_ him. Fair is only fair, right? See top as
well.

> Paul.

//Anders//

>
> --
> Irish Linux Users' Group: ilug at domain linux.ie
> http://www.linux.ie/mailman/listinfo/ilug for (un)subscription
> information.
> List maintainer: listmaster at domain linux.ie
>

• Next message: Declan Grady: "[ILUG] Package dependencies"
• Previous message: Paul Kelly: "Re: [ILUG] openssh vulnerability"
• In reply to: Paul Kelly: "Re: [ILUG] openssh vulnerability"
• Next in thread: Paul Kelly: "Re: [ILUG] openssh vulnerability"
• Reply: Paul Kelly: "Re: [ILUG] openssh vulnerability"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
• Mail actions: [ respond to this message ] [ mail a new topic ]

This archive was generated by hypermail 2.1.6 : Thu 06 Feb 2003 - 13:17:29 GMT