On Fri, 15 Mar 2002, David Talkington wrote:
> The report to which I referred was from Marcus Friedl, and I have
> attached it below.
Read all the reports, not just those from the fox in the hen house. More
objective reports are available.
>
> Nobody's arguing that one should not assume the worst. That was, in
> fact, my point. But it was also my point that you're comparing a
> demonstrated exploit that went unpatched for four months, with a (by
> some accounts, but not indicated below) possible remote exploit that
> was patched in hours, and using that as a basis to say that OpenSSH is
> no more secure than telnet. I don't think that's justified.
You are misinterpreting. I said that OpenSSH has a checkered security
history as of late in response to your pointing out that some telnet
daemons had security problems in the past (and that is incorrect, BTW.
See the last paragraph). You were implying that the user should be using
SSH, implying it less immune to the security problems you had pointed out
for telnet. My point is that OpenSSH has had recent exploitable problems
and one should not throw out one daemon that might be exploitable for
another that could be without knowing what they are doing and assessing
all the issues. OpenSSH is exploitable, has had 3 or 4 in the past year,
and is not something someone should blindly trust or recommend without
caveats.
> And when it comes to who to trust, draw your own conclusions, but it's
> a safe bet that Friedl's team will be on top of things. Sun, on the
> other hand, has an explicitly stated policy of patching when _they_
> feel it's appropriate, and leaving administrators in the lurch for the
> duration -- you have no choice but to disable a vulnerable service or
> leave it exposed, in this case for several months.
telnetd is not owned or controlled by Sun. In fact, telnetd was not the
problem, login was the problem and anything that called login, including
some ssh programs, were vulnerable. Yes, ssh was just as vulnerable as
telnet in this specific instance if password authentication was turned on.
This is specifically stated in the CERT advisory.
- rick -
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
