Re: ssh vulernability
On Mon, Oct 22, 2001 at 06:21:51AM -0300, Peter Cordes wrote: Just as you automate everything you can, in the name of laziness, you can wait until stuff falls into your lap instead of going out and fixing it yourself, if the problem is not at all likely to lead to any real problems for your system. And where is the relation to security? Phil -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ssh vulernability
On Tue, Oct 23, 2001 at 01:19:58PM +0200, Philipp Schulte wrote: On Mon, Oct 22, 2001 at 06:21:51AM -0300, Peter Cordes wrote: Just as you automate everything you can, in the name of laziness, you can wait until stuff falls into your lap instead of going out and fixing it yourself, if the problem is not at all likely to lead to any real problems for your system. And where is the relation to security? If there is no real security risk to your system (e.g. you weren't using the feature that the problem is in), then you can wait for the security team to handle it and upload a new package. If you have multiple layers of defence, and the vulnerability only takes out one of them, then you can wait a while instead of fixing it yourself. (e.g. with this ssh vuln., you would only be at real risk if attackers actually had the necessary keys, but not access to an IP that you allowed logins from. If you were pretty sure that nobody had stolen your keys, you wouldn't really have to worry about the vuln.) -- #define X(x,y) x##y Peter Cordes ; e-mail: X([EMAIL PROTECTED] , ns.ca) The gods confound the man who first found out how to distinguish the hours! Confound him, too, who in this place set up a sundial, to cut and hack my day so wretchedly into small pieces! -- Plautus, 200 BCE -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ssh vulernability
On Mon, Oct 22, 2001 at 06:21:51AM -0300, Peter Cordes wrote: Just as you automate everything you can, in the name of laziness, you can wait until stuff falls into your lap instead of going out and fixing it yourself, if the problem is not at all likely to lead to any real problems for your system. And where is the relation to security? Phil
Re: ssh vulernability
On Tue, Oct 23, 2001 at 01:19:58PM +0200, Philipp Schulte wrote: On Mon, Oct 22, 2001 at 06:21:51AM -0300, Peter Cordes wrote: Just as you automate everything you can, in the name of laziness, you can wait until stuff falls into your lap instead of going out and fixing it yourself, if the problem is not at all likely to lead to any real problems for your system. And where is the relation to security? If there is no real security risk to your system (e.g. you weren't using the feature that the problem is in), then you can wait for the security team to handle it and upload a new package. If you have multiple layers of defence, and the vulnerability only takes out one of them, then you can wait a while instead of fixing it yourself. (e.g. with this ssh vuln., you would only be at real risk if attackers actually had the necessary keys, but not access to an IP that you allowed logins from. If you were pretty sure that nobody had stolen your keys, you wouldn't really have to worry about the vuln.) -- #define X(x,y) x##y Peter Cordes ; e-mail: X([EMAIL PROTECTED] , ns.ca) The gods confound the man who first found out how to distinguish the hours! Confound him, too, who in this place set up a sundial, to cut and hack my day so wretchedly into small pieces! -- Plautus, 200 BCE
Re: ssh vulernability
On Fri, Oct 19, 2001 at 05:06:03PM -0700, Garrett Ellis wrote: I run Debian; and I applied the OpenSSH patch myself as soon as it was posted. Does anybody know of the advantages of waiting for a new .deb file to get circulated are? It's easier, esp. if you don't already have source for the latest version. The patch was a change to two lines of code; so I just made the changes and rebuilt OpenSSH. That's how I do all of my non-kernel patches; seems a bit odd to wait around for the distribution's official patch-maker-squad to churn out a new .DEB file. A lot of people are lazy, and will wait for a .deb in the archive. This is a sensible response, because the vulnerability is not severe. As long as they don't have your keys, they still can't get in. I had a physics prof who always told us that we should be lazy. He meant that we figure out how to solve the problem with simple equations, instead of creating a monster, or a whole lot of equations. (this was quantum mechanics, so it's pretty easy to get screwed if you head off into the wilderness crunching equations.) This principle applies to being a sysadmin. Just as you automate everything you can, in the name of laziness, you can wait until stuff falls into your lap instead of going out and fixing it yourself, if the problem is not at all likely to lead to any real problems for your system. -- #define X(x,y) x##y Peter Cordes ; e-mail: X([EMAIL PROTECTED] , ns.ca) The gods confound the man who first found out how to distinguish the hours! Confound him, too, who in this place set up a sundial, to cut and hack my day so wretchedly into small pieces! -- Plautus, 200 BCE -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ssh vulernability
On Mon, Oct 22, 2001 at 06:21:51AM -0300, Peter Cordes wrote: On Fri, Oct 19, 2001 at 05:06:03PM -0700, Garrett Ellis wrote: I run Debian; and I applied the OpenSSH patch myself as soon as it was posted. Does anybody know of the advantages of waiting for a new .deb file to get circulated are? It's easier, esp. if you don't already have source for the latest version. BTW, I'm talking about http://www.securityfocus.com/bid/3369 OpenSSH Key Based Source IP Access Control Bypass Vulnerability Someone else mentioned a buffer overflow exploit. In that case (remote root exploit or something), then laziness is overruled by the need to keep one's system secure. -- #define X(x,y) x##y Peter Cordes ; e-mail: X([EMAIL PROTECTED] , ns.ca) The gods confound the man who first found out how to distinguish the hours! Confound him, too, who in this place set up a sundial, to cut and hack my day so wretchedly into small pieces! -- Plautus, 200 BCE -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ssh vulernability
On Fri, Oct 19, 2001 at 05:06:03PM -0700, Garrett Ellis wrote: I run Debian; and I applied the OpenSSH patch myself as soon as it was posted. Does anybody know of the advantages of waiting for a new .deb file to get circulated are? It's easier, esp. if you don't already have source for the latest version. The patch was a change to two lines of code; so I just made the changes and rebuilt OpenSSH. That's how I do all of my non-kernel patches; seems a bit odd to wait around for the distribution's official patch-maker-squad to churn out a new .DEB file. A lot of people are lazy, and will wait for a .deb in the archive. This is a sensible response, because the vulnerability is not severe. As long as they don't have your keys, they still can't get in. I had a physics prof who always told us that we should be lazy. He meant that we figure out how to solve the problem with simple equations, instead of creating a monster, or a whole lot of equations. (this was quantum mechanics, so it's pretty easy to get screwed if you head off into the wilderness crunching equations.) This principle applies to being a sysadmin. Just as you automate everything you can, in the name of laziness, you can wait until stuff falls into your lap instead of going out and fixing it yourself, if the problem is not at all likely to lead to any real problems for your system. -- #define X(x,y) x##y Peter Cordes ; e-mail: X([EMAIL PROTECTED] , ns.ca) The gods confound the man who first found out how to distinguish the hours! Confound him, too, who in this place set up a sundial, to cut and hack my day so wretchedly into small pieces! -- Plautus, 200 BCE
Re: ssh vulernability
On Mon, Oct 22, 2001 at 06:21:51AM -0300, Peter Cordes wrote: On Fri, Oct 19, 2001 at 05:06:03PM -0700, Garrett Ellis wrote: I run Debian; and I applied the OpenSSH patch myself as soon as it was posted. Does anybody know of the advantages of waiting for a new .deb file to get circulated are? It's easier, esp. if you don't already have source for the latest version. BTW, I'm talking about http://www.securityfocus.com/bid/3369 OpenSSH Key Based Source IP Access Control Bypass Vulnerability Someone else mentioned a buffer overflow exploit. In that case (remote root exploit or something), then laziness is overruled by the need to keep one's system secure. -- #define X(x,y) x##y Peter Cordes ; e-mail: X([EMAIL PROTECTED] , ns.ca) The gods confound the man who first found out how to distinguish the hours! Confound him, too, who in this place set up a sundial, to cut and hack my day so wretchedly into small pieces! -- Plautus, 200 BCE
Re: ssh vulernability
On Fri, Oct 19, 2001 at 03:26:18PM -0800, Ethan Benson wrote: On Fri, Oct 19, 2001 at 06:06:34PM -0400, [EMAIL PROTECTED] wrote: Has debian released a new ssh dpkg yet? no If this is about the buffer overflow exploit that's supposed to be going around now, wasn't this fixed in the following: openssh (1:1.2.3-9.2) stable; urgency=high * Non-maintainer upload by Security Team * Added backported fix for a buffer overflow (thanks to Piotr Roszatycki) * Added modified build dependencies from unstable for convenience * Added patch that fixes an rsa key exchange problem made public by CORE SDI. -- Martin Schulze [EMAIL PROTECTED] Thu, 8 Feb 2001 22:15:04 +0100 If it's a different exploit entirely, please ignore. -- Mike Renfro / RD Engineer, Center for Manufacturing Research, 931 372-3601 / Tennessee Technological University -- [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ssh vulernability
On Sun, Oct 21, 2001 at 04:41:17PM -0500, Mike Renfro wrote: On Fri, Oct 19, 2001 at 03:26:18PM -0800, Ethan Benson wrote: On Fri, Oct 19, 2001 at 06:06:34PM -0400, [EMAIL PROTECTED] wrote: Has debian released a new ssh dpkg yet? no If this is about the buffer overflow exploit that's supposed to be going around now, wasn't this fixed in the following: well i assumed he was referring to the OpenSSH2 problems with authorized_keys2 among others fixed in 2.9.9p2. while this is not relevant to stable it does affect unstable users, and the sid ssh packages are still not updated to 2.9.9p2. this is not the responisibility of the security team of course. there is also the so called traffic analysis problems which stable ssh has no workarounds for. (there are patches to counteract that problem). openssh (1:1.2.3-9.2) stable; urgency=high * Non-maintainer upload by Security Team * Added backported fix for a buffer overflow (thanks to Piotr Roszatycki) * Added modified build dependencies from unstable for convenience * Added patch that fixes an rsa key exchange problem made public by CORE SDI. -- Martin Schulze [EMAIL PROTECTED] Thu, 8 Feb 2001 22:15:04 +0100 If it's a different exploit entirely, please ignore. -- Mike Renfro / RD Engineer, Center for Manufacturing Research, 931 372-3601 / Tennessee Technological University -- [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- Ethan Benson http://www.alaska.net/~erbenson/ PGP signature
Re: ssh vulernability
On Fri, Oct 19, 2001 at 03:26:18PM -0800, Ethan Benson wrote: On Fri, Oct 19, 2001 at 06:06:34PM -0400, [EMAIL PROTECTED] wrote: Has debian released a new ssh dpkg yet? no If this is about the buffer overflow exploit that's supposed to be going around now, wasn't this fixed in the following: openssh (1:1.2.3-9.2) stable; urgency=high * Non-maintainer upload by Security Team * Added backported fix for a buffer overflow (thanks to Piotr Roszatycki) * Added modified build dependencies from unstable for convenience * Added patch that fixes an rsa key exchange problem made public by CORE SDI. -- Martin Schulze [EMAIL PROTECTED] Thu, 8 Feb 2001 22:15:04 +0100 If it's a different exploit entirely, please ignore. -- Mike Renfro / RD Engineer, Center for Manufacturing Research, 931 372-3601 / Tennessee Technological University -- [EMAIL PROTECTED]
Re: ssh vulernability
On Sun, Oct 21, 2001 at 04:41:17PM -0500, Mike Renfro wrote: On Fri, Oct 19, 2001 at 03:26:18PM -0800, Ethan Benson wrote: On Fri, Oct 19, 2001 at 06:06:34PM -0400, [EMAIL PROTECTED] wrote: Has debian released a new ssh dpkg yet? no If this is about the buffer overflow exploit that's supposed to be going around now, wasn't this fixed in the following: well i assumed he was referring to the OpenSSH2 problems with authorized_keys2 among others fixed in 2.9.9p2. while this is not relevant to stable it does affect unstable users, and the sid ssh packages are still not updated to 2.9.9p2. this is not the responisibility of the security team of course. there is also the so called traffic analysis problems which stable ssh has no workarounds for. (there are patches to counteract that problem). openssh (1:1.2.3-9.2) stable; urgency=high * Non-maintainer upload by Security Team * Added backported fix for a buffer overflow (thanks to Piotr Roszatycki) * Added modified build dependencies from unstable for convenience * Added patch that fixes an rsa key exchange problem made public by CORE SDI. -- Martin Schulze [EMAIL PROTECTED] Thu, 8 Feb 2001 22:15:04 +0100 If it's a different exploit entirely, please ignore. -- Mike Renfro / RD Engineer, Center for Manufacturing Research, 931 372-3601 / Tennessee Technological University -- [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- Ethan Benson http://www.alaska.net/~erbenson/ pgpoH9ybLHoUr.pgp Description: PGP signature
ssh vulernability
Hello, Has debian released a new ssh dpkg yet? Thanks. Andrew -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ssh vulernability
On Fri, Oct 19, 2001 at 06:06:34PM -0400, [EMAIL PROTECTED] wrote: Hello, Has debian released a new ssh dpkg yet? no -- Ethan Benson http://www.alaska.net/~erbenson/ PGP signature
Re: ssh vulernability
I run Debian; and I applied the OpenSSH patch myself as soon as it was posted. Does anybody know of the advantages of waiting for a new .deb file to get circulated are? The patch was a change to two lines of code; so I just made the changes and rebuilt OpenSSH. That's how I do all of my non-kernel patches; seems a bit odd to wait around for the distribution's official patch-maker-squad to churn out a new .DEB file. Garrett Ethan Benson wrote: On Fri, Oct 19, 2001 at 06:06:34PM -0400, [EMAIL PROTECTED] wrote: Hello, Has debian released a new ssh dpkg yet? no -- Ethan Benson http://www.alaska.net/~erbenson/ Part 1.2Type: application/pgp-signature -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
ssh vulernability
Hello, Has debian released a new ssh dpkg yet? Thanks. Andrew
Re: ssh vulernability
On Fri, Oct 19, 2001 at 06:06:34PM -0400, [EMAIL PROTECTED] wrote: Hello, Has debian released a new ssh dpkg yet? no -- Ethan Benson http://www.alaska.net/~erbenson/ pgpKxRSjHMTTx.pgp Description: PGP signature
Re: ssh vulernability
I run Debian; and I applied the OpenSSH patch myself as soon as it was posted. Does anybody know of the advantages of waiting for a new .deb file to get circulated are? The patch was a change to two lines of code; so I just made the changes and rebuilt OpenSSH. That's how I do all of my non-kernel patches; seems a bit odd to wait around for the distribution's official patch-maker-squad to churn out a new .DEB file. Garrett Ethan Benson wrote: On Fri, Oct 19, 2001 at 06:06:34PM -0400, [EMAIL PROTECTED] wrote: Hello, Has debian released a new ssh dpkg yet? no -- Ethan Benson http://www.alaska.net/~erbenson/ Part 1.2Type: application/pgp-signature