Upcoming OpenSSH vulnerability

Corinna Vinschen vinschen at redhat.com
Wed Jun 26 17:50:27 EST 2002


On Tue, Jun 25, 2002 at 09:24:12PM -0500, Phil Howard wrote:
> On Tue, Jun 25, 2002 at 04:51:26PM -0700, Steve VanDevender wrote:
> 
> | I think it's good that Theo put out the alert and said that privilege
> | separation (on the platforms where it works) will prevent the exploit.
> | I don't think it's realistic to expect that everyone can rush privilege
> | separation into production as a means of addressing this problem.  You
> | can compain that vendors should have helped you get this working
> | earlier, but it doesn't surprise me that most haven't responded without
> | a major incentive to do so.
> 
> Apparently the non-portable OpenSSH has had this feature working
> for a while.  Given it is a security feature, it's really wrong
> that vendors have failed to get it working on their platforms.
> Security in and of itself should be the major incentive to do so.
> Why should the authors of OpenSSH be the only ones to be expected
> to address security issues in a timely manner?  And even if they
> do, how can they be expected to make source patches that work
> universally if there are crippled versions of OpenSSH ported to
> certain platforms which can make these patches not work?  What
> better incentive can you think of to get them to budge but a real
> live security situation?  If they can't respond to that, then it
> is time to write them off as another MSFT-wannabe.

You're living in an ideal world, right?

Corinna

-- 
Corinna Vinschen
Cygwin Developer
Red Hat, Inc.
mailto:vinschen at redhat.com



More information about the openssh-unix-dev mailing list