From: Anders Holm (anders.holm at domain elivefree.net)
Date: Tue 25 Jun 2002 - 12:09:36 IST
[snip]
> Would probably have been better to send him a one-line message with a
> link to the thread
> http://www.linux.ie/pipermail/ilug/2002-June/047444.html
At this rate, yep.. ;)
> Busy man our Theo.
Probably.. ;)
> > Which they still haven't. Apparently the patch would need some
> assistance
> > from different vendors in order to get it working satisfactorily.
>
> What they're asking for assistance with is the perfection and widespread
> deployment of PrivSec, not with fixing this particular bug. Theo is
> using this bug to further his own ends - ends which may be a good idea,
> but I hate to see bugs being used as leverage for ulterior motives.
> Smacks of ISS's treatment of the recent Apache vulnerability and it
> feels like they'll be making almost the same mistake over again next
> week when details of the vulnerability are released.
Is it? I missed that in any case. I thought it was suggested so that people
could, while a patch was being created, have a means of closing a
vulnerability... Not to _force_ them to use a specific feature. I'd say he
handing his user base an option to secure their systems.
> Have a read of the Debian announcement on the subject. They seem nearly
> as unhappy with the situation as I am. They're a good bit more
> diplomatic of course. They don't seem to have been provided with, nor
> consulted on the distribution of a patched OpenSSH to combat the bug.
> Apparently (unsubstantiated slashdot rumour that sounds plausible)
> PrivSec can't work properly yet on 2.2 kernels so Debian can't even
> release that for their stable distribution. On a timescale of a few days
> I think it's unreasonable to expect PrivSec to work perfectly (read
> trustworthy) on a 2.2 Linux kernel, or on a PAM-based distribution.
Did I ever say I was happy with this myself? Nope, I would also rather have
seen a proper patch right away, but alas.... As for 2.2 kernels, apparently
someone has managed to get it working. And they also stated that there may
be issues with PAM compatibility.
> > What would you have said if you would have been compromised
> > due to this vulnerability and they had known it existed?
>
> I have NO problem at all with them saying it's vulnerable, nor that
> PrivSec is a possible source of protection. I'm delighted that I have
> the opportunity to shut down sshd or firewall it off a bit more. I just
> need to know that when details are released, I'll have updated packages
> the same day for my favourite major distribution. Without forcing me to
> use beta quality code in so vital a tool.
Agreed. But what other options are currently available? And for such a short
time scale, what else is feasible? THAT is what I'm trying to say....
> > And by _not_ running [PrivSec]
> > currently on a production machine, what problems do you keep open for
> > exploitation?
>
> I see little or no difference in risk between the unknown of PrivSec and
> the unknown of a bug for which no exploit has ever been seen.
True, but yet again, if PrivSec is so new, how long will it take to find an
exploit for it? And who knows right now if the vulnerability hasn't been
exploited already?
> Paul.
//Anders//
This archive was generated by hypermail 2.1.6 : Thu 06 Feb 2003 - 13:17:30 GMT