Subject: Re: openssh netbsd SA
To: Alan Post <apost@recalcitrant.org>
From: David Maxwell <david@crlf.net>
List: tech-security
Date: 09/17/2003 01:11:13
On Tue, Sep 16, 2003 at 08:34:06PM +0000, Alan Post wrote:
> Are we going to see an SA regarding the openssh buffer business soon?

It's available now.

http://www.netbsd.org/Changes/#sa2003-030917

It's probably not the last word on this issue though.

Generally speaking, if you haven't seen an SA yet on a given issue, it's
because the issue hasn't been completely dealt with. There's more harm
to be done in running people through a multiple-upgrade cycle, chasing
imperfect patches, than in waiting a few hours more. 

This is especially true in a case like this one, where many eyes have
reviewed the code in question and not yet found a way to exploit it.

If the rumours of an sshd exploit are true, I doubt these buffer patches
are the fix for it.

-- 
David Maxwell, david@vex.net|david@maxwell.net --> Mastery of UNIX, like
mastery of language, offers real freedom. The price of freedom is always dear,
but there's no substitute. Personally, I'd rather pay for my freedom than live
in a bitmapped, pop-up-happy dungeon like NT. - Thomas Scoville