From: Paul Kelly (longword at domain esatclear.ie)
Date: Tue 25 Jun 2002 - 10:36:19 IST
Anders Holm wrote:
> at this point I'm now including the author of the SecurityFocus.com
> announcement, so if he feels like it may have the freedom to defend himself.
> I am doing this because I do not believe in "battering" people behind their
> backs.
As I expected, it's being covered quite well outside our little patch of
the Internet. The slashdot comments are pretty much in line with what
we've been saying here.
> You apparently like OpenSSH, but don't like them to tell you
> that there may a problem with it. I disagree the strongest to this
> behaviour, that is why, and it is my freedom to say so as well.
Nope. I'm happy that they say there's a vulnerability out there. I'm
happy that they suggest in advance that PrivSep is a good workaround for it.
I'm not happy that they may release details of the vulnerability before
a patch has been released. Now this is just a 'may' but there has been
no mention of a patch to fix it yet. I understand that the clock is
ticking, but it profits noone to discuss the problem openly before it is
fixed.
The well established path for a vulnerability report is to fix the thing
first, maybe mention that a problem exists, and distribute this full fix
to the major vendors so that they have plenty of time to have fresh
binary packages available at the appointed hour for the publication of
the vulnerability.
PrivSep is NOT yet an acceptable solution by any stretch of the
imagination. The Mandrake people have already found bugs in its
interaction with PAM. For all we know it may expose us to further
vulnerabilities on par with those in the commercial SSH 3.0 release
(allowed anyone to ssh in to disabled accounts without a password). This
code is out a WEEK! I for one wouldn't even consider running it on a
production machine.
Paul.
This archive was generated by hypermail 2.1.6 : Thu 06 Feb 2003 - 13:17:29 GMT