Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: Brett Glass (brettlariat.org)
Date: Wed Jun 26 2002 - 11:23:14 CDT
It is clear that Theo was attempting to have people apply the workaround
which had the least chance of revealing the nature of the bug in advance,
lest it be discovered by others and exploited.
It's truly sad that ISS, which knew about Theo's advisory, released this
information today, instead of next week as Theo asked them to. If Theo's
roadmap for disclosure had been followed, more administrators could have
been informed about the bug, and they would have had time to take
preventive measures through the weekend before the skript kiddies began
their race to exploit the bug. Now, the race has begun. In fact, the
problem has been exacerbated because administrators who *could* have
secured their systems thought they'd have time to do so over the weekend.
Theo made a worthy attempt to minimize harm (which should be the goal of
any security policy). It's a shame that ISS sought the spotlight instead
of doing the same.
At 09:10 AM 6/26/2002, Mike Tancsa wrote:
>Also, the ISS advisory states
>"Administrators can remove this vulnerability by disabling the
>Challenge-Response authentication parameter within the OpenSSH daemon
>configuration file. This filename and path is typically:
>/etc/ssh/sshd_config. To disable this parameter, locate the
>corresponding line and change it to the line below:
>ChallengeResponseAuthentication no "
>This would imply there is a work around, but the talk before hand
>----quote from Message-Id: <200206242327.g5ONRBLI012690cvs.openbsd.org>---
>You have been told to move up to privsep so that you are immunized by
>the time the bug is released.
>If you fail to immunize your users, then the best you can do is tell
>them to disable OpenSSH until 3.4 is out early next week with the
>bugfix in it. Of course, then the bug will be public.
To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message