Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Chris Knight (chrisaims.com.au)
Date: Mon Jun 24 2002 - 22:09:28 CDT
> -----Original Message-----
> From: owner-freebsd-securityFreeBSD.ORG
> [mailto:owner-freebsd-securityFreeBSD.ORG]On Behalf Of Keith
> Sent: Tuesday, 25 June 2002 12:55
> To: Jacques A. Vidrine
> Cc: freebsd-securityFreeBSD.ORG
> Subject: Re: Hogwash
> I hate to intrude on the conversation, but what is FreeBSD's
> official response to this? Posturing and full-disclosure debates
> aside, I'm inclined to take Theo's warning at face value. I
> know better than to expect my commercial UNIX vendor to act
> swiftly, but I've come to expect more from the FreeBSD project.
> If FreeBSD is going to wait until after the exploits are
> published, please let us know now so I can plan appropriately.
I don't know what the official response will be, but given the lack
of information regarding the exploit, plus it's effect on a privsep
enabled ssh, it would be mad not to recommend either turning off
sshd, or where that is not possible, use firewalling rules to
restrict ssh access to a limited number of hosts.
I can understand Theo's concern, but the side effect of his actions
is simply causing FUD. There will be no guarantee that vendor
implementation of privsep will stop the exploit, so turning ssh off
or restricting its access is the wisest course of action.
> --Keith Stevenson--
AIMS Independent Computer Professionals
Tel: +61 3 6334 6664 Fax: +61 3 6331 7032 Mob: +61 419 528 795
To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message