OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Chris Knight (chrisaims.com.au)
Date: Mon Jun 24 2002 - 22:09:28 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Howdy,

    > -----Original Message-----
    > From: owner-freebsd-securityFreeBSD.ORG
    > [mailto:owner-freebsd-securityFreeBSD.ORG]On Behalf Of Keith
    > Stevenson
    > Sent: Tuesday, 25 June 2002 12:55
    > To: Jacques A. Vidrine
    > Cc: freebsd-securityFreeBSD.ORG
    > Subject: Re: Hogwash
    >
    > I hate to intrude on the conversation, but what is FreeBSD's
    > official response to this? Posturing and full-disclosure debates
    > aside, I'm inclined to take Theo's warning at face value. I
    > know better than to expect my commercial UNIX vendor to act
    > swiftly, but I've come to expect more from the FreeBSD project.
    > If FreeBSD is going to wait until after the exploits are
    > published, please let us know now so I can plan appropriately.
    >
    I don't know what the official response will be, but given the lack
    of information regarding the exploit, plus it's effect on a privsep
    enabled ssh, it would be mad not to recommend either turning off
    sshd, or where that is not possible, use firewalling rules to
    restrict ssh access to a limited number of hosts.
    I can understand Theo's concern, but the side effect of his actions
    is simply causing FUD. There will be no guarantee that vendor
    implementation of privsep will stop the exploit, so turning ssh off
    or restricting its access is the wisest course of action.

    > Regards,
    > --Keith Stevenson--
    >
    Regards,
    Chris Knight
    Systems Administrator
    AIMS Independent Computer Professionals
    Tel: +61 3 6334 6664 Fax: +61 3 6331 7032 Mob: +61 419 528 795
    Web: http://www.aims.com.au

    To Unsubscribe: send mail to majordomoFreeBSD.org
    with "unsubscribe freebsd-security" in the body of the message