On Mon, 24 Jun 2002, Theo de Raadt wrote:

> > Still, we'll all be much more at ease once all the cards are on the
> > table. I appreciate that you are trying to prepare users, but forgive
> > me if I don't agree that witholding the details is the best approach.
>
> So please, humour me. Who precisely should I be telling this
> information to, who isn't going to leak it, ship patches to their
> customers early, etc.

Since I started this (somewhat), I'll clarify what I meant: I would be
nice if only a version spread were mentioned. It's implied that it's
all OpenSSH before 3.3p1, but that wasn't quite clear. It talked a lot
about privsep, and I was hoping that it was only a privsep problem and not
affect me. Obviously, you don't want to release full details without a
patch, but something along the lines of:
There's a hole in OpenSSH that affects all versions. It's a remote DOS,
and may cause a root hole. Use privsep if you can.

I know that's almost what you said, but IMHO it's just a touch clearer, so
there's no doubt what needs to be done.

-- 
Matt Piechota
To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]