Upcoming OpenSSH vulnerability

Wed Jun 26 12:24:12 EST 2002

On Tue, Jun 25, 2002 at 04:51:26PM -0700, Steve VanDevender wrote:

| I think it's good that Theo put out the alert and said that privilege
| separation (on the platforms where it works) will prevent the exploit.
| I don't think it's realistic to expect that everyone can rush privilege
| separation into production as a means of addressing this problem.  You
| can compain that vendors should have helped you get this working
| earlier, but it doesn't surprise me that most haven't responded without
| a major incentive to do so.

Apparently the non-portable OpenSSH has had this feature working
for a while.  Given it is a security feature, it's really wrong
that vendors have failed to get it working on their platforms.
Security in and of itself should be the major incentive to do so.
Why should the authors of OpenSSH be the only ones to be expected
to address security issues in a timely manner?  And even if they
do, how can they be expected to make source patches that work
universally if there are crippled versions of OpenSSH ported to
certain platforms which can make these patches not work?  What
better incentive can you think of to get them to budge but a real
live security situation?  If they can't respond to that, then it
is time to write them off as another MSFT-wannabe.

-- 
-----------------------------------------------------------------
| Phil Howard - KA9WGN |   Dallas   | http://linuxhomepage.com/ |
| phil-nospam at ipal.net | Texas, USA | http://phil.ipal.org/     |
-----------------------------------------------------------------