On Wed, Jul 03, 2002 at 04:15:08PM -0700, Tim Howe wrote: > An SSH issue that was fixed with the latest version. > > There's more to it than that; you should be able to find plenty of info > on www.deadly.org I think.
The latest version of the advisory is at http://www.openssh.com/txt/preauth.adv The following was posted by Theo, in his usual no-word-mincing style, last night ... (Darren here is Darren Reed ... all I can say about that is search the [EMAIL PROTECTED] archives ... perhaps with a few tall glasses of water nearby) To: [EMAIL PROTECTED] Subject: openssh fiasco Date: Tue, 02 Jul 2002 23:57:30 -0600 From: Theo de Raadt <[EMAIL PROTECTED]> X-Spam-Level: X-Loop: [EMAIL PROTECTED] Precedence: list Mime-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset=iso-8859-1 Status: RO So, in the end, it looks like pretty much all of the Linux vendors upgraded to privsep and rescued their users from the nasty slow-disclosed bug. Many of the vendors immediately re-forwarded the warning to their users to let them know this was coming. Many many users took a security stance. There is tons of happy mail from users in my mailbox. Stop it guys. The only bitchy whiny people were - one or two FreeBSD developers, - the old NetBSD people who already hate me and make it quite apparent all the time that they hate me (and who did not even tell their users about the alert, and at the same time have been exchanging mail with me accusing me of not telling them at the same time as other vendors) - Darren ... who's attacks always make it clear I've done the right thing -- if Darren doesn't bitch, I get worried, - and HP's main security guy who complained that I was forcing him to make a financial decision about pulling programmers out of bed.... and who was forced to retire last Wednesday because of that whole Compaq situation. A few other people bitched earlier on -- mostly people who work for vendors -- but in hindsight I've been getting a lot of apology letters, and other notices of changes-in-attitude. I would say that 95% of users did not bitch. They were thrilled to be treated better than the vendor for once. Since the above list is the usual suspects, well, it looks like people think things were handled well. To the rest of you -- thanks for the support. I expect there will be an OpenSSH 3.5 release in a few weeks, as we continue to polish some other turds in there. It is a real pity that such an approach was not possible with the resolver stuff, though I cannot think of how we could have made it better. But I heard about it on IRC within 5.5 hours meaning it was leaked -- apparently by some of the usual suspects above because the original alert went through a security-officer contact, though denial runs through egypt -- so the discoverer and I decided to have all the *BSD's rush the changes in and publish an advisory right away. Anyways, see you at the next advisory... hopefully not for a while.
