[ILUG] openssh vulnerability
anders.holm at elivefree.net
Tue Jun 25 12:00:41 IST 2002
> It's not a work-around if you're running 2.2 kernels, as many people
> still are. I'm running a pair of heavily modded RH 6.2 machines, with
> upgraded kernels and all public services upgraded to latest.
Apparently John Madden was successful in this. Maybe one would ask him how
he did this? Might even be worth the effort, who knows?
> Suddenly I'm being told that I have to re-install both servers because
> of Theo de Raadt? Screw that. It's extremely irrespondible to insist on
> a pet solution that screws things up permanently for a large number of
No one said you'd have to re-install, did they, or did I miss something
along the way? That's your choice, you're the admin. No one insisted on it,
but rather gave a recommendation for a work around. And please, enlighten me
how it would screw things up for you. How exactly have you then "modded"
your _old_ RH 6.2 boxes? Maybe that is where your _real_ problem lies??
Maybe someone here would have a fix for your particular problem. After all,
isn't that why this list exists?
And for being irresponsible in giving a recommendation, wouldn't you rather
know about it than be "in the dark"?? To me, hearing this type of argument
from a sysadmin makes me wonder a bit. Are you not rather happier knowing
that there may be a problem, rather than having to find it out the hard way?
Isn't it beneficial in some way at all to know that your systems _may_ get
compromised by this vulnerability?
At this point, I think I've stated all of my argumentation on this subject.
I wouldn't be surprised at all if I get to hear this type of argumentation a
bit more. In any case, no one has forced any one to make any changes or
re-installs. This is all up to the responsible sysadmin to take care of and
plan for. And don't tell me that you'd have no planning ahead for possible
security vulnerabilities, then you're even worse than the people you are
flaming, since you then don't take the proper responsibility you should.
I've now dished out my share of flaming on this. I'd rather spend my time,
and the lists resources in trying to see what happens and if I could do
anything to help. The fact remains, there is a _possible_ vulnerability in
OpenSSH. Why not try to help fixing it instead of flaming the people who let
you know about it? In that way we'd all benefit. Who benefits by this?
> Irish Linux Users' Group: ilug at linux.ie
> http://www.linux.ie/mailman/listinfo/ilug for (un)subscription
> List maintainer: listmaster at linux.ie
More information about the ILUG