Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: Matt Piechota (piechotaargolis.org)
Date: Tue Jun 25 2002 - 19:14:06 CDT
On Mon, 24 Jun 2002, Theo de Raadt wrote:
> > Still, we'll all be much more at ease once all the cards are on the
> > table. I appreciate that you are trying to prepare users, but forgive
> > me if I don't agree that witholding the details is the best approach.
> So please, humour me. Who precisely should I be telling this
> information to, who isn't going to leak it, ship patches to their
> customers early, etc.
Since I started this (somewhat), I'll clarify what I meant: I would be
nice if only a version spread were mentioned. It's implied that it's
all OpenSSH before 3.3p1, but that wasn't quite clear. It talked a lot
about privsep, and I was hoping that it was only a privsep problem and not
affect me. Obviously, you don't want to release full details without a
patch, but something along the lines of:
There's a hole in OpenSSH that affects all versions. It's a remote DOS,
and may cause a root hole. Use privsep if you can.
I know that's almost what you said, but IMHO it's just a touch clearer, so
there's no doubt what needs to be done.
-- Matt Piechota
To Unsubscribe: send mail to majordomoFreeBSD.org with "unsubscribe freebsd-security" in the body of the message