Subject: Re: OpenSSH Priv Sep and Remote Exploit?
To: Jason R Thorpe <thorpej@wasabisystems.com>
From: None <itojun@iijlab.net>
List: tech-pkg
Date: 06/27/2002 13:21:25
>It's completely absurd that the OpenSSH people recommended blind upgrades
>to a PrivSep version of OpenSSH, rather than just suggesting to people that
>they disable ChallengeResponseAuthentication.  I guess they're not so "Open"
>after all.

	my guess - ChalRespAuth workaround was not mentioned in the first
	"no fix yet" advisory, as disclosing it will disclose how to attack
	the daemon.

itojun