[NCLUG] Nasty-bad OpenSSH Exploit
Michael Dwyer
mdwyer at sixthdimension.com
Thu Jun 27 09:57:27 MDT 2002
"J. Paul Reed" wrote:
>
> On Wed, 26 Jun 2002, Michael Dwyer wrote:
>
> > Executive summary: Turn off SKey, turn on PriviledgeSeparation, or
> > upgrade to 3.4. Upgrade to 3.4 anyway, to miss some other bugs they
> > found.
>
> The way Theo de Raadt handled this exploit was appaling, unacceptable, and
> downright irresponsible.
I'm not sure I fully agree with you ('cuz THAT would be a first! :) )
But I agree that the way it is being handled is pretty strange. We get
news of a horrific SSH exploit that will allow anyone to r00t my boxes,
and then we get the news that there isn't a patch. Then, when a full
patch is avaiable, it breaks compression on non-BSD boxes? (I haven't
actually tried it on a 2.2 kernel yet, but that's what the readmes
say...)
Lets compare this against a similar package -- BIND. Bind was the
victim of a number of recent exploits. But their method of handling it
was more reasonable: "We've discovered problems in Bind8. We've
patched them, but there are some fundamental flaws that we'd like to
work out. So, we're gonna keep patching up 8 for a while, but in the
meantime, here's Bind9.
I'm kinda freaked out that I've moved from OpenSSH2.1 to 3.4 in the
matter of a year or so. That's not cool at all. I mean, I'm glad it is
updated -- seeing as it is the ONLY exposure I have on many of my boxes
-- but... <sigh> I dunno. This is getting silly.
This makes me want to look for other options... When is GNU going to do
SSH?! :)
More information about the NCLUG
mailing list