[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Upcoming OpenSSH vulnerability
- To: <firstname.lastname@example.org>
- Subject: Re: Upcoming OpenSSH vulnerability
- From: "Al Lipscomb" <email@example.com>
- Date: Wed, 26 Jun 2002 00:08:47 -0400
- Content-Class: urn:content-classes:message
- thread-index: AcIcxk4OV33P2FNlQLesopaTM3TL3QAACU+A
- Thread-Topic: Upcoming OpenSSH vulnerability
> > I don't have the patience to patch OpenSSH and re-patch it
> again next
> > week, so I think I'll just have pf block port 22. :-)
> you're missing the point.
> you don't have to patch it next week if you enable privsep.
That may or may not be true. The recommendation is to upgrade to 3.3 and
enable privsep. Since we have no idea as to the nature of the
exploitable code, any advise at this time is dangerous. For example, the
given workaround may only prevent an elevation of privlige attack but
still leave the machine open to a DOS attack. The developers are doing
the best possible for the situation and trying to second guess them is
not a good idea right now.
Like most things, if you don't need the service then shut it down (or
block the port)!
Once a true fix is available, with correct code, it is just the right
thing to move to the new version.