tech-security: Re: OpenSSH Priv Sep and Remote Exploit?

Subject: Re: OpenSSH Priv Sep and Remote Exploit?
To: Sean Davis <dive@endersgame.net>
From: Michael C. Ibarra <ibarra@hawk.com>
List: tech-security
Date: 06/24/2002 21:34:34

Yes descriptions would be great, but I believe what Theo is saying
is that the description could also spell disaster if it is released
prior to at least giving some a chance by getting patched. 

-mike

Quoting Sean Davis <dive@endersgame.net>:

> I don't really care about a bug description. But I do feel that having a fix
> and not releasing it is a little irresponsible. It doesn't seem to me like
> too
> much to ask that the authors provide fixes to their software.
> 
> On Mon, Jun 24, 2002 at 06:40:15PM -0600, Theo de Raadt wrote:
> > How many of you want me to send them the exact bug description right
> > now?
> > 
> > And you won't tell anyone, right?  Just our own little secret.  We can
> > be so 31337!
> > 
> > Geez.
> > 
> > > Sure, as long as I'm not vulnerable to this new bug (which it is
> > > irresponsible of them not to give details of, but anyway) I don't really
> > > care what version I have. I was just wondering, because I thought I saw
> 3.3
> > > get committed the other day.
> > > 
> > > On Mon, Jun 24, 2002 at 08:31:13PM -0400, Perry E. Metzger wrote:
> > > > 
> > > > itojun@iijlab.net writes:
> > > > > >Shouldn't we have 3.3 in basesrc/crypto/dist/ssh now? I know I saw
> commits
> > > > > >yesterday (or perhaps the day before) saying it was updated to 3.3,
> but
> > > > > >after a CVS update just now, I still get 3.2.1. I updated
> crypto/dist/ssh
> > > > > >and usr.bin/ssh, and see no differences. Am I doing something wrong?
> > > > > 
> > > > > 	are you on 1.6 branch?  1.6 branch has 3.2.1 with privilege
> separation
> > > > > 	on by default.
> > > > 
> > > > Is 3.2.1 with priv sep. sufficient?
> > > > 
> > > > --
> > > > Perry E. Metzger		perry@wasabisystems.com
> > > > --
> > > > NetBSD: The right OS for your embedded design.
> http://www.wasabisystems.com/
> > > 
> > > -- 
> > > /~\ The ASCII                         Sean Davis
> > > \ / Ribbon Campaign                    aka dive
> > >  X  Against HTML
> > > / \ Email!                   http://endersgame.net/~dive/
> > 
> 
> -- 
> /~\ The ASCII                         Sean Davis
> \ / Ribbon Campaign                    aka dive
>  X  Against HTML
> / \ Email!                   http://endersgame.net/~dive/


--------------------------------------------------