From: Paul Kelly (longword at domain esatclear.ie)
Date: Tue 25 Jun 2002 - 21:30:34 IST
Colm MacCarthaigh wrote:
> The patch exists no doubt, and it isnt being distributed exactly because
> it would reveal the nature of the bug.
Most assuredly so. And mere mortals like us MUST NOT get access to this
patch yet. However the major vendors SHOULD get it ASAP so that they can
be prepared for timely releases of updated packages when Full Disclosure
happens.
> to make PrivSep work fully on their platform ? If Theo is waiting on
> this before the release of the fix ... it would indicate that using
> Privelege Seperation is an implimentation neccessity of the fix. This
> makes no sense.
All indications are to the contrary - PrivSep doesn't fix this bug in
any way, it's just supposed to lessen the severity to near nothing.
PrivSep is not and could not be involved in the fix for this bug. The
two are separate and distinct, aside from Theo using one as a stick to
beat the other.
> Nowhere does the document suggest that privelege seperation is a
> neccessity of the solution
The document suggests that those who don't implement PrivSep right now
will be exposed to the bug for however many days after Full Disclosure
it takes for their vendor to evaluate the alert, integrate the patch
into their OpenSSH packages - possibly backporting it to older versions
of OpenSSH to support some of their older distributions, test it on all
of their supported platforms, and release the packages. Unless of course
the user wants to go hand-compiling it. Thanks to the variety of PAM and
non-PAM Linux distributions out there, this option is non-trivial for
most users.
Paul.
This archive was generated by hypermail 2.1.6 : Thu 06 Feb 2003 - 13:17:32 GMT