Mailinglist Archive: opensuse-security (499 mails)

< Previous Next >
RE: [suse-security] OpenSSH Vulnerability and Setting PrivilegeSe paration
  • From: "Reckhard, Tobias" <tobias.reckhard@xxxxxxxxxxx>
  • Date: Thu, 27 Jun 2002 07:45:03 +0200
  • Message-id: <96C102324EF9D411A49500306E06C8D1A5706B@xxxxxxxxxxxxxxxxx>
> Again I feel SuSE jumped ahead or in with a knee-jerk
> reaction to the alleged OpenBSD/OpenSSH exploit for SSH whose
> argument to this moment has been largely unfounded. Until
> they have produced enough documentation actually warning of
> the exploit and where exactly it does so, it has not even
> been made a CVE candidate, released in any official advisory
> except SuSE. The Developers of OpenSSH do not even have an
> answer themselves but to upgrade to 3.3 for a mere workaround
> whereas 3.3 has fundemental issues of its own.

ISS and Theo announced a *remote root exploit* in OpenSSH, not giving any
information about mitigating factors or any other details. This is a very
serious problem. And if there wasn't an exploit out in the wild already,
after this announcement it is highly probable that it wouldn't take long for
one to appear. On the black-hat side, that is.

In the meantime, with the news being out, the only half-solution given was
adopted by SuSE very quickly and released to its customers, not few of whom
rely on OpenSSH to administer systems across the Internet.

> I would wait until its official before getting all too
> excited -perhaps look at
> http://online.securityfocus.com/advisories/4230

That's exactly what Olaf et al. checked out. I don't see your point. SuSE
didn't claim that the new OpenSSH RPMs fix the problem, it was rather clear
(at least to me) that they were 'only' patched so as to conform to Theo's
recommended mitigator. I see nothing wrong with that. And if you know
better, don't update your package, it's not like they're forcing you or
anything. I think you'll agree that just because you've got a vendor, that
doesn't mean you shouldn't try to make informed decisions of your own about
your systems. But it's nice to have prompt assistance from the vendor, SuSE
in this case.

Tobias

< Previous Next >
This Thread
Follow Ups