Upcoming OpenSSH vulnerability

Steve VanDevender stevev at darkwing.uoregon.edu
Wed Jun 26 09:51:26 EST 2002


Ben Lindstrom writes:
 > Incorrect, 3.1 has Privsep.

Funny, I can't find the options in the stock OpenSSH 3.1p1 source tree.
If it was available, it was obviously as an unsupported patch at the
time.

 > Look at it this way.  Do you want us to release the expliot and the patch
 > now?  Or would you rather have us wait the few days to gather patch fixes
 > so hopefully 70% of those following along can at least be semiprotected?

I, personally, would much rather have a patch that fixes the real
security problem now for the platforms for which privilege separation is
problematic (like Tru64 UNIX with C2 security) so that my systems will
be protected whether or not I can get privilege separation working on
them.  I'd like to get it working on all of them eventually, but it's
clear from the flurry of bug reports and activity this week that it's
just not ready for widespread production use yet.

 > This is the correct course of action.  I agree with Theo's reasons 100%.

I think it's good that Theo put out the alert and said that privilege
separation (on the platforms where it works) will prevent the exploit.
I don't think it's realistic to expect that everyone can rush privilege
separation into production as a means of addressing this problem.  You
can compain that vendors should have helped you get this working
earlier, but it doesn't surprise me that most haven't responded without
a major incentive to do so.



More information about the openssh-unix-dev mailing list