RE: [suse-security] Re: [suse-security-announce] SuSE SecurityAnnouncement: OpenSSH (SuSE-SA:2002:023)
Hello, Since SuSE's announcment I have seen only how do I fix my ssh, how do I backport to earlier version? Why is my 3.3 not working, 3.3 has a buffer overflow. --- Redhat our neighbor handled this extremely well by putting this through their QA teams and found that there were many many issues with 3.3; they found that just by configuring counter-active options in the sshd.config would prevent such exploits without making the mistake to have their customers go to version 3.3 and not in many cases be able to support backward compatibility. Now that there are official advisories from OpenSSH/OpenBSD and Security Organizations they are informing all that 3.4 fixes bugs, a buffer overflow in 3.3, and yes provides additional security mechanisms. Does SuSE have a Security QA that reviews the new unfounded code releases and feautures? Is this how you treat all customers by responding offensively as or like below. We will opt to most likely no longer QA or include SuSE in our R&D projects. Redhat has a better grip on customer interaction, security erratta, updates, and customer satisfaction. If you would like newline characters which I could care less about, write a damn German anal retentive script to parse through my emails. Ryan S. P.s. Your security mailing lists could improve should you want customers to beleive your teams have a handle on interacting with their customers. Assuring them when you have sound suggestions for security and provide updates when warranted is also key. Its important not to forget that those who are on these lists may have huge partnerships with you, or buy considerably but it takes only one misrepresentation to do away with this relationship. Perhaps you do not care but then again its your business. -----Original Message----- From: Roman Drahtmueller [mailto:draht@suse.de] Sent: Wednesday, June 26, 2002 6:01 PM To: Ryan Swenson Cc: Suse-security mailingliste Subject: RE: [suse-security] Re: [suse-security-announce] SuSE SecurityAnnouncement: OpenSSH (SuSE-SA:2002:023)
FYI -SuSE Gang
http://online.securityfocus.com/advisories/4230
Vendor security teams should investigate the validity of their claims before suggesting all its customers obtain a workaround version released just a short while ago.
What exactly is your problem? Correct me if I misunderstand you.
If you read that stuff a bit more carefully, you'd know that this was the
only thing we could do, except for sitting there and do nothing. The fact
that these packages were of preliminary nature is nothing new. There will
be another sweep of them along your way.
(Your mail lacks newline characters)
Roman.
--
- -
| Roman Drahtmüller
Hi, On Thursday 27 June 2002 16:17, Ryan Swenson wrote:
--- Redhat our neighbor handled this extremely well by putting this through their QA teams and found that there were many many issues with 3.3; they found that just by configuring counter-active options in the sshd.config would prevent such exploits without making the mistake to have their customers go to version 3.3 and not in many cases be able to support backward compatibility.
That's not QA. This is just what I call a wait-and-see approach. Red Hat just waited for the problem to go away, SuSE could have done that as well. ISS and the OpenBSD team are the ones you should blame, for their very vague and nebulous announcements. Anyway, SuSE's announcement was clear enough for me to decide not to upgrade in the first place but to firewall sshd instead, until further clarification concerning the impact of the vulnerability. Personally, I trust my own intelligence enough to not rely on hand-holding from any vendor too much. I'll skip the rest of your mail since useless flames are not worth repeating. Regards, Martin -- Martin Leweling Institut fuer Planetologie, WWU Muenster Wilhelm-Klemm-Str. 10, 48149 Muenster, Germany
Just for the record: I completely agree with Martin's statement and his analysis of the mail he commented. SuSE is doing a fantastic job and this mailing list and their announcements are very supportive and informative. Thanks to all involved! Regards, Stefan Am Donnerstag den, 27. Juni 2002, um 16:42, schrieb Martin Leweling:
Hi,
On Thursday 27 June 2002 16:17, Ryan Swenson wrote:
--- Redhat our neighbor handled this extremely well by putting this through their QA teams and found that there were many many issues with 3.3; they found that just by configuring counter-active options in the sshd.config would prevent such exploits without making the mistake to have their customers go to version 3.3 and not in many cases be able to support backward compatibility.
That's not QA. This is just what I call a wait-and-see approach. Red Hat just waited for the problem to go away, SuSE could have done that as well.
ISS and the OpenBSD team are the ones you should blame, for their very vague and nebulous announcements.
Anyway, SuSE's announcement was clear enough for me to decide not to upgrade in the first place but to firewall sshd instead, until further clarification concerning the impact of the vulnerability. Personally, I trust my own intelligence enough to not rely on hand-holding from any vendor too much.
I'll skip the rest of your mail since useless flames are not worth repeating.
Regards, Martin -- Martin Leweling Institut fuer Planetologie, WWU Muenster Wilhelm-Klemm-Str. 10, 48149 Muenster, Germany
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
........
P.s. Your security mailing lists could improve should you want customers to beleive your teams have a handle on interacting with their customers. Assuring them when you have sound suggestions for security and provide updates when warranted is also key. Its important not to forget that those who are on these lists may have huge partnerships with you, or buy considerably but it takes only one misrepresentation to do away with this relationship. Perhaps you do not care but then again its your business.
sorry, but I don't like such "I am the king customer.." crap. what is your problem? do you want that roman talk without coming directly to the point? you can/should critize when they made obviously technical mistakes, but you said "RedHat has a better grip..." does RedHat knows more about the openssh bug, although ISS does not publish the details? I don't think so. nothing was known about the security hole, therefore it was a great job from SuSE. and why cc to the half world? -- Mit freundlichen Grüssen / With kind regards Dipl.-Ing. Harald Nikolisin SOFiSTiK AG (Entwicklung)
On Thu, 27 Jun 2002 10:17:12 -0400
"Ryan Swenson"
Hello,
Since SuSE's announcment I have seen only how do I fix my ssh, how do I backport to earlier version? Why is my 3.3 not working, 3.3 has a buffer overflow.
FOR GODS SAKE!! DOESNT ANYONE LISTEN??!!! As has been stated repeatedly on suse-security, the current openssh version DOES NOT FIX THE BUG!!! It DOES however work around the bug by using Privilage separation to limit the damage that can be done. PLEASE READ THE FOLLOWING
cat openssh-3.3p1-6.i386_en.info openssh: Secure shell client and server (remote login program)
File: openssh-3.3p1-6.i386.rpm Patchrpm: openssh-3.3p1-6.i386.patch.rpm Version: 3.3p1 Size: 508 kB Patchsize: 440 kB Date: Tue 25 Jun 2002 12:56:37 PM CEST Source: openssh-3.3p1-6.src.rpm Security: Yes ---------------------------------------------------------------------- Description: Security update: This update works around a security problem in OpenSSH. Notice the line above here??? This package was released very hurriedly by SuSE (Thanks guys) based on the incomplete info provided by Theo (Who is one of the more idiotic people who inhabit the open source world). As several people from suse have said, another version will be released soon which does fix the problem properly, but this has not happened yet and as such there is nothing to "backport" In anycase, if you have left your openssh config as default then you are "mostly" not vulnerable as the feature that has the bug is turned off by default on SuSE Linux. Just out of interest, what the hell did you think you were going to accomplish by ccing your mail to press@suse.com and sales@suse.com Were you going for maximum possible exposure of you idiocy? Next time maybe you should add sales@microsoft.com and sales@ford.com and imastupididiotwhodoesntreadannouncements@disney.com to your list!!! Before anyone asks, yes, I've had a terrible day, and I need more coffee! -- Viel Spaß Peter Nixon - nix@susesecurity.com SuSE Security FAQ Maintainer http://www.susesecurity.com/faq/ "If you think cryptography will solve the problem, then you don't understand cryptography and you don't understand your problem."
Hi Ryan,
think you missed something. This is a Linux mailing list if you want
to have a "windows based" behavior please visit M$ and don't bore
us.
If you think SuSE isn't the right Distro feel free
to change it or make your own.
Again, this is L I N U X and it depends on _you_ what _you_ do with
_your_ box.
If you want to play Admin then just try to think and write like one.
kind regard Daniel
PS.: Do you think it's of any interest to us if you change to RedHat?
On Thu, Jun 27, 2002 at 10:17:12AM -0400, Ryan Swenson wrote:
Hi List Something slightly OT but funny. - Mr. Ryan Swenson is a "famous" Hacker - He got a new account at www.cyberspace.org named dlord - put a .forward file in there with my email address in it. - send me some flames from his new account. - so I decidet to also get such an account. - after sending an email from my new cyberspace.org account to his private email address Ryan.Swenson@togethersoft.com complaining about his behavior I got a talk request from this dlord@cyberspace.org :-) *lol* - His Login IP was 12.155.50.42 which belongs to TOGETHERSOFT (NETBLK-TOGETHER418-50) TOGETHER418-50 12.155.50.0 - 12.155.50.255 ups :-) - btw. my login IP address doesn't belong to me/my company/etc. pp sorry Mr. Ryan ;-) So, well now the slogen of togethersoft may be a bit ironical... "Togethersoft --- improving the way people work together" Everything coming from togethersoft or cyberspace.org will now be filtered by my servers. Well done Mr Ryan. Just my 2 cent Greetings to all the good guys Daniel Lord PS.: It was too funny to keep it for me sorry.
Hi List, I was just looking through an nmap -l -n and got the following: Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN raw 0 0 172.16.0.xxx:1 0.0.0.0:* 7 is this "raw" entry anything to be concerned about? Rgds
Hi Terence On Fri, Jun 28, 2002 at 02:13:01PM +0800, Terence wrote:
I was just looking through an nmap -l -n and got the following:
oh, where did you find that options for nmap? Every nmap version I tried doesn't have them :-) looks more like netstat I think.
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN raw 0 0 172.16.0.xxx:1 0.0.0.0:* 7
is this "raw" entry anything to be concerned about?
Just visit http://xforce.iss.net/static/1452.php and watch out for some loki processes on your machine. Maybe thats the matter. If so you've got some problems. :-( Good Luck Daniel Lord
participants (7)
-
Daniel Lord
-
Harald Nikolisin
-
Martin Leweling
-
Peter Nixon
-
Ryan Swenson
-
Stefan Eissing
-
Terence