Ben, thanks for your friendly words! On Tue, Jun 25, 2002 at 10:31:09PM -0700, Ben Rosenberg wrote:
It's a quickfix for a problem that was thought to be a serious one.
This is indeed what it is. The entire thing is a band-aid, and I'm not very proud of it. For the record, we were notified of this vulnerability on Monday afternoon (and I didn't learn that you have to go to 3.3 _and_ enable privilege separation until after I had built RPMs for all suse platforms :) So yes, you can say we released this update in a bit of a rush, and it doesn't quite live up to what you're used to. For that I apologize. The alternative however would have been leaving all of you without a patch; and the prospect of someone releasing anytime that would root all your boxes out there isn't a very entertaining one. I am sure you will agree. We will investigate the issue with MD5 passwords. This is probably just another manifestation of a general problem with PAM and privsep, which is that keyboard-interactive mode isn't working properly. For the time being, I recommend not using MD5 passwords. Either fall back to normal crypt passwords for the moment, or use publickey authentication with a good pass phrase on the private key. Given the problems with 3.3p1, expect another patch as soon as 3.4 is available and we've had some time to test everything more thoroughly than this time. Cheers Olaf -- Olaf Kirch | Anyone who has had to work with X.509 has probably okir@suse.de | experienced what can best be described as ---------------+ ISO water torture. -- Peter Gutmann