LWN.net Logo

Advertisement

TrustCommerce

E-Commerce & credit card processing - the Open Source way!

Advertise here

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for July 2, 2009

RealtimeKit and the audio problem

VFAT patent avoidance and patent workarounds

LWN.net Weekly Edition for June 25, 2009

Apache attacked by a "slow loris"

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

Upcoming OpenSSH vulnerability

Upcoming OpenSSH vulnerability

Posted Jun 25, 2002 8:33 UTC (Tue) by garloff (subscriber, #319)
Parent article: Upcoming OpenSSH vulnerability

This statement from Theo really makes one wonder what's going on.
If a vulnerability is found in a software package, what the one who
discovers should do is to contact the authors of the software.
This apparently happened in this case. The next step for the authors
is to fix the problem and contact distributors. There are mailing
lists to coordinate these efforts. A few days later, most distributors
should have fixes ready and the disclosure of the vulnerability can
happen and all distros can send their sec announcements within a short
amount of time.
For some reason Theo seems to imply he does not want to follow this
procedure. Instead he wants that the distributors implement a workaround
beforehand. Strange way of dealing!
After reading about the Privilege Separation stuff it sounds like a very
good idea to me. After reading Theo's "I want to force it down your
throats" I'm not so sure any more ...

(Log in to post comments)

Upcoming OpenSSH vulnerability

Posted Jun 25, 2002 10:00 UTC (Tue) by BogusUser ((unknown), #2238) [Link]

If the details to this vulnerability would have been released (even with patches) just about every Linux box on the planet would have been cracked before the owners would've had time to install the patch. Publishing a fix to this problem will only tell the cracker exactly where the problem is.

So they first work around the bug, without actually fixing the bug and telling what is it and where it is, so crackers can't make an exploit before people are immune (and I repeat, a direct fix would exactly tell the cracker what the bug is.)

A bug like this is what every cracker is dreaming of, a way into just about every unix machine on the planet!

Upcoming OpenSSH vulnerability

Posted Jun 25, 2002 10:38 UTC (Tue) by BogusUser ((unknown), #2239) [Link]

http://docs.freebsd.org/cgi/getmsg.cgi?fetch=255989+0+current/freebsd-security

I don't know with what agenda the advisory was released,
but one can't call it an innocent one.

I can't refute the statement that a workaround which defuses the
so called hole into nothing more then an unprivilidge accoutn getting
compromised. Is a good in between step.

But a real fix ready monday next week ? that's not an option. today
or tomorrow is.

Furthermore I find the statements made by theo in his release very
dubious.

"Customers can judge their vendors by how they respond to this issue."

Is one of them.

And again there seems to me to be too much old grief and sorrow in
the initial announcements and all reactions.

Sure people can differ in opinion, but when it comes to these kinds
of threats we "the world of free source",both users and developers, need
to stick together.


And "the world of free source" has thrived by sharing ideas and problems.

Upcoming OpenSSH vulnerability

Posted Jun 25, 2002 12:37 UTC (Tue) by BogusUser ((unknown), #2242) [Link]

That's the biggest crock I've ever heard.

"the world of free source" thrives on opinionated stupidity. Nobody
ever really fixes anything well, because the opinionated dickhead who
ends up dong the fix always decides it's "somebody elses problem", and
wastes shitloads more time arguing about why they should not have to
be the person to solve something or other than it would have taken to
just do as they're asked in the first place.

Add to that - when you look at their (usually comment-free) code, it's
always amazing that any fix works at all.

Upcoming OpenSSH vulnerability

Posted Jun 27, 2002 10:58 UTC (Thu) by BogusUser ((unknown), #2239) [Link]

Heh,

Ok can't refute your statement.


I think I should have made my point by stating that
the motive I describe is one to go by.
Or I could throw in responsibility...

But it seems my motives are too naive for a burdend free source
user/developer.

And indeed opinionated stupidity is the basis on which theo released
the "preliminary" advisory and the following I might add.


Upcoming OpenSSH vulnerability

Posted Jun 25, 2002 12:44 UTC (Tue) by BogusUser ((unknown), #2242) [Link]

As for the statement:-

"Customers can judge their vendors by how they respond to this issue."

This is *absolutely* 100% spot-on. Suggesting otherwise has the
identical effect as tattooing "I am the lazy and opinionated stupid
idiot who prefers to argue why it's not my job to fix a problem rather
than just fix a problem" on your forehead.

Grow up kiddies. Shut up and fix it instead of wasting everyones time
and proving you care more for the survival of your own (dumb) opinions
than for the safety of everyone else.

Copyright © 2009, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds