RE: [suse-security] OpenSSH Vulnerability and Setting PrivilegeSe paration
Again I feel SuSE jumped ahead or in with a knee-jerk reaction to the alleged OpenBSD/OpenSSH exploit for SSH whose argument to this moment has been largely unfounded. Until they have produced enough documentation actually warning of the exploit and where exactly it does so, it has not even been made a CVE candidate, released in any official advisory except SuSE. The Developers of OpenSSH do not even have an answer themselves but to upgrade to 3.3 for a mere workaround whereas 3.3 has fundemental issues of its own.
ISS and Theo announced a *remote root exploit* in OpenSSH, not giving any information about mitigating factors or any other details. This is a very serious problem. And if there wasn't an exploit out in the wild already, after this announcement it is highly probable that it wouldn't take long for one to appear. On the black-hat side, that is. In the meantime, with the news being out, the only half-solution given was adopted by SuSE very quickly and released to its customers, not few of whom rely on OpenSSH to administer systems across the Internet.
I would wait until its official before getting all too excited -perhaps look at http://online.securityfocus.com/advisories/4230
That's exactly what Olaf et al. checked out. I don't see your point. SuSE didn't claim that the new OpenSSH RPMs fix the problem, it was rather clear (at least to me) that they were 'only' patched so as to conform to Theo's recommended mitigator. I see nothing wrong with that. And if you know better, don't update your package, it's not like they're forcing you or anything. I think you'll agree that just because you've got a vendor, that doesn't mean you shouldn't try to make informed decisions of your own about your systems. But it's nice to have prompt assistance from the vendor, SuSE in this case. Tobias
On Thursday 27 June 2002 01:45 am, you wrote:
ISS and Theo announced a *remote root exploit* in OpenSSH, not giving any information about mitigating factors or any other details. This is a very serious problem. And if there wasn't an exploit out in the wild already, after this announcement it is highly probable that it wouldn't take long for one to appear. On the black-hat side, that is.
In the meantime, with the news being out, the only half-solution given was adopted by SuSE very quickly and released to its customers, not few of whom rely on OpenSSH to administer systems across the Internet.
Of course this is the ongoing discussion. Being that blackhats are amazingly able to dig out root exploits, the only way to stay ahead is to inform the community, and for the community to do daily security checking/patching. As you noticed they released part of the exploit giving us the chance to 1) do a temporary change to get around it and 2) a patch to stop it. 3) Then the second half was released, also with a fix (V3.4).
I would wait until its official before getting all too excited -perhaps look at http://online.securityfocus.com/advisories/4230
That's exactly what Olaf et al. checked out. I don't see your point. SuSE didn't claim that the new OpenSSH RPMs fix the problem, it was rather clear (at least to me) that they were 'only' patched so as to conform to Theo's recommended mitigator. I see nothing wrong with that. And if you know better, don't update your package, it's not like they're forcing you or anything. I think you'll agree that just because you've got a vendor, that doesn't mean you shouldn't try to make informed decisions of your own about your systems. But it's nice to have prompt assistance from the vendor, SuSE in this case.
Tobias
-- Steve Szmidt V.P. Information Technology Video Group Distributors, Inc.
participants (2)
-
Reckhard, Tobias -
Steve