[ILUG] openssh vulnerability

[Paul Kelly]

Anders Holm wrote:
> What I can get out of this is that Theo and Co. actually has _tried_
> resolving this _with_ vendors, but that they are not responding properly to
> this vulnerability and apparently does not seem to care to help out.

That's not what I read from it - to me it seems he has informed the 
vendors that some nondescript vulnerability exists, and that his best 
solution at this time is not to fix the vulnerability but to change how 
OpenSSH is used and implemented on each and every platform, using a 
mechanism that has barely been used at all in the field. If I was a 
vendor right now, I'd be thinking long and hard about forking OpenSSH 
and requesting direct notification of vulnerabilities for the new package.

> Theo also states that PrivSep IS NOT A FIX but at least a workaround UNTIL a
> patch can be distributed. So, he is giving people a way of closing a flaw
> until it can be fixed. Since when is that bad? Sure, not ideal, but is it
> _so_ horrible?

What's _so_ horrible is threatening the vendors (and users) that if they 
don't use OpenSSH a certain way, using a completely new code path, their 
customers will be put at risk. He has stated that details of the 
vulnerability will be released next week, but made no mention of a patch 
to secure this vulnerability before those details are released.

> flaming someone who not even has been copied on your flames, and probably
> knows nothing of it. Would you like to be treated the same way?

Theo knows exactly what he's doing, and I'd be surprised if he's not 
getting enough flames as-is without us adding to his troubles.

Paul.