RE: [ILUG] openssh vulnerability

From: Vincent Cunniffe (vincent at domain cunniffe.net)
Date: Tue 25 Jun 2002 - 14:28:26 IST

• Next message: Waider: "Re: [ILUG] Package dependencies"
• Previous message: Thomas Bridge: "[ILUG] Odd sockets problem"
• In reply to: Anders Holm: "RE: [ILUG] openssh vulnerability"
• Next in thread: Paul Kelly: "Re: [ILUG] openssh vulnerability"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
• Mail actions: [ respond to this message ] [ mail a new topic ]

Quoting Anders Holm <anders.holm at domain elivefree.net>:

> [snip]
> >
> > It's not a work-around if you're running 2.2 kernels, as many people
> > still are. I'm running a pair of heavily modded RH 6.2 machines, with
> > upgraded kernels and all public services upgraded to latest.
>
> Apparently John Madden was successful in this. Maybe one would ask him how
> he did this? Might even be worth the effort, who knows?

I've already tried : mmap fails with errors on the boxes.

When I switch off privsep in the config, it works.
 
> > Suddenly I'm being told that I have to re-install both servers because
> > of Theo de Raadt? Screw that. It's extremely irrespondible to insist on
> > a pet solution that screws things up permanently for a large number of
> > people.
>
> No one said you'd have to re-install, did they, or did I miss something
> along the way? That's your choice, you're the admin. No one insisted on it,
> but rather gave a recommendation for a work around. And please, enlighten

If the only fix being offered will not work on 2.2 kernels, then it will
require a 2.4 kernel. And if I have to switch production boxen to 2.4, it
will be via a reinstall, not a slightly dodgy OS upgrade.

> me how it would screw things up for you. How exactly have you then "modded"
> your _old_ RH 6.2 boxes? Maybe that is where your _real_ problem lies??
> Maybe someone here would have a fix for your particular problem. After all,
> isn't that why this list exists?

I've upgraded the kernel to 2.2.19, and upgraded every service, that's all.

No magic.

> And for being irresponsible in giving a recommendation, wouldn't you rather
> know about it than be "in the dark"?? To me, hearing this type of argument
> from a sysadmin makes me wonder a bit. Are you not rather happier knowing
> that there may be a problem, rather than having to find it out the hard
> way? Isn't it beneficial in some way at all to know that your systems _may_
> get compromised by this vulnerability?

No : they should not have decided on this method of fixing the problem and
then publically announced it. It's irresponsible. Your argument rests on
the fait accompli that they've already announced it.
 
Vin

• Next message: Waider: "Re: [ILUG] Package dependencies"
• Previous message: Thomas Bridge: "[ILUG] Odd sockets problem"
• In reply to: Anders Holm: "RE: [ILUG] openssh vulnerability"
• Next in thread: Paul Kelly: "Re: [ILUG] openssh vulnerability"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
• Mail actions: [ respond to this message ] [ mail a new topic ]

This archive was generated by hypermail 2.1.6 : Thu 06 Feb 2003 - 13:17:30 GMT