From: Paul Kelly (longword at domain esatclear.ie)
Date: Tue 25 Jun 2002 - 18:07:45 IST
Aidan Kehoe wrote:
> Once details of the bug are released to bugtraq, attempts to exploit
> the bug will increase exponentially. Advising that a bug exists and
> enabling privsep will prevent an exploit is the responsible thing to
> do, if no specific fix is available.
The annoying thing is Theo says he fixed the bug "in 3 minutes". So the
patch exists right now. It's not complex. It's not tied to a particular
OS. But still, at the hour of the announce, the only distribution with
binary updates will be OpenBSD.
On other platforms I would be VERY cautious about moving to PrivSec at
this point, especially since there's at least one claim of a root
exploit in the new OpenSSH 3.3.1p code. Now I don't know if that bloke's
taking the piss or not, but I know I'd rather not risk it. There are
enough minor Known Bugs in PrivSec that there's good reason to suspect
at least one doozie is hiding in there.
> > he has an agenda of wanting people to move to privsep, and is using
> > this upcoming bug fix to force people to move to it. it seems.
> Do you think he gives a shit[1] whether the wider world moves to
> privsep or not?
Theo works in weird and wonderful ways. Chalk that one up to weird
rather than wonderful. Weird that he cares rather than weird that he
wants it done - everyone agrees it's a good idea, but IMHO it's not
ready for prime time.
Paul.
This archive was generated by hypermail 2.1.6 : Thu 06 Feb 2003 - 13:17:32 GMT