Upcoming OpenSSH vulnerability

Phil Howard phil-openssh-unix-dev at ipal.net
Wed Jun 26 19:18:48 EST 2002


On Wed, Jun 26, 2002 at 09:50:27AM +0200, Corinna Vinschen wrote:

| On Tue, Jun 25, 2002 at 09:24:12PM -0500, Phil Howard wrote:
| > On Tue, Jun 25, 2002 at 04:51:26PM -0700, Steve VanDevender wrote:
| > 
| > | I think it's good that Theo put out the alert and said that privilege
| > | separation (on the platforms where it works) will prevent the exploit.
| > | I don't think it's realistic to expect that everyone can rush privilege
| > | separation into production as a means of addressing this problem.  You
| > | can compain that vendors should have helped you get this working
| > | earlier, but it doesn't surprise me that most haven't responded without
| > | a major incentive to do so.
| > 
| > Apparently the non-portable OpenSSH has had this feature working
| > for a while.  Given it is a security feature, it's really wrong
| > that vendors have failed to get it working on their platforms.
| > Security in and of itself should be the major incentive to do so.
| > Why should the authors of OpenSSH be the only ones to be expected
| > to address security issues in a timely manner?  And even if they
| > do, how can they be expected to make source patches that work
| > universally if there are crippled versions of OpenSSH ported to
| > certain platforms which can make these patches not work?  What
| > better incentive can you think of to get them to budge but a real
| > live security situation?  If they can't respond to that, then it
| > is time to write them off as another MSFT-wannabe.
| 
| You're living in an ideal world, right?

It depends on whose definition you want to use.  Bill Gates' definition?

How long has the opportunity to port privilege separation been there?

-- 
-----------------------------------------------------------------
| Phil Howard - KA9WGN |   Dallas   | http://linuxhomepage.com/ |
| phil-nospam at ipal.net | Texas, USA | http://phil.ipal.org/     |
-----------------------------------------------------------------



More information about the openssh-unix-dev mailing list