Hello, Since SuSE's announcment I have seen only how do I fix my ssh, how do I backport to earlier version? Why is my 3.3 not working, 3.3 has a buffer overflow. --- Redhat our neighbor handled this extremely well by putting this through their QA teams and found that there were many many issues with 3.3; they found that just by configuring counter-active options in the sshd.config would prevent such exploits without making the mistake to have their customers go to version 3.3 and not in many cases be able to support backward compatibility. Now that there are official advisories from OpenSSH/OpenBSD and Security Organizations they are informing all that 3.4 fixes bugs, a buffer overflow in 3.3, and yes provides additional security mechanisms. Does SuSE have a Security QA that reviews the new unfounded code releases and feautures? Is this how you treat all customers by responding offensively as or like below. We will opt to most likely no longer QA or include SuSE in our R&D projects. Redhat has a better grip on customer interaction, security erratta, updates, and customer satisfaction. If you would like newline characters which I could care less about, write a damn German anal retentive script to parse through my emails. Ryan S. P.s. Your security mailing lists could improve should you want customers to beleive your teams have a handle on interacting with their customers. Assuring them when you have sound suggestions for security and provide updates when warranted is also key. Its important not to forget that those who are on these lists may have huge partnerships with you, or buy considerably but it takes only one misrepresentation to do away with this relationship. Perhaps you do not care but then again its your business. -----Original Message----- From: Roman Drahtmueller [mailto:draht@suse.de] Sent: Wednesday, June 26, 2002 6:01 PM To: Ryan Swenson Cc: Suse-security mailingliste Subject: RE: [suse-security] Re: [suse-security-announce] SuSE SecurityAnnouncement: OpenSSH (SuSE-SA:2002:023)
FYI -SuSE Gang
http://online.securityfocus.com/advisories/4230
Vendor security teams should investigate the validity of their claims before suggesting all its customers obtain a workaround version released just a short while ago.
What exactly is your problem? Correct me if I misunderstand you.
If you read that stuff a bit more carefully, you'd know that this was the
only thing we could do, except for sitting there and do nothing. The fact
that these packages were of preliminary nature is nothing new. There will
be another sweep of them along your way.
(Your mail lacks newline characters)
Roman.
--
- -
| Roman Drahtmüller