Full Disclosure mailing list archives
Re: The lowdown on SSH vulnerability
From: "Joe Shevland" <jshevland () ozemail com au>
Date: Wed, 17 Sep 2003 09:36:07 +1000
----- Original Message ----- From: "Daniel Berg" <daniel () eds de> To: "Carl Livitt" <carl () learningshophull co uk> Cc: <full-disclosure () lists netsys com> Sent: Tuesday, September 16, 2003 11:22 PM Subject: Re: [Full-disclosure] The lowdown on SSH vulnerability
Nice conversation, makes clear why Theo is loved by so many people.
Without seeing the original email chain in its entirety, not that I want(ed in part) to - well, here's a guy thats had very little sleep, has contributed to the open source community software that thousands use, and is responsibly trying to fix the problem (probably in the face of an enormous amount of pressure and outside demands). And he's having his laundry aired on this list, and then further attacked because he's not being diplomatic about it? Unless I'm missing something, is Theo part of a company that is charging excessive fees for software and services? If he is, then people that purchase those services of course have a right to ask for personal support (and expect courteous responses).
So what we know now is that possibly core devices like Firewalls and Switches and whatnot could be attacked as well. Can anyone confirm this? Any suggestions on how to workaround this?
Given the protocol, encryption requirements, and nature of problem that we're talking about, *and* that you've mentioned 'Firewalls' and 'Switches' and 'whatnot', do you really expect someone to come up with a workaround for 'those' devices? Specific vendors etc are a different matter, as FreeBSD has shown with its patches. Cheers, Joe
Cheers Daniel On Tue, 2003-09-16 at 14:25, Carl Livitt wrote:Straight from the horses mouth, this is a snippet of an email
conversation I
just had with Theo Deraadt: -------------- Theo, Is there a patch available to patch the off-by-one that has been
reported in
OpenSSH ? As it is being actively exploited in the wild, I would like
to
patch my servers ASAP (as you can probably imagine). Thankyou for taking the time to read - and hopefully respond to - this
email.
Kind regards, Carl --------------- A flamefest ensued, but his answer was: Bugger off, wait like the rest of the planet.
Well said. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- The lowdown on SSH vulnerability Carl Livitt (Sep 16)
- Re: The lowdown on SSH vulnerability Carl Livitt (Sep 16)
- Re: The lowdown on SSH vulnerability B.K. DeLong (Sep 16)
- Re: The lowdown on SSH vulnerability Mark Vevers (Sep 16)
- RE: The lowdown on SSH vulnerability Andy Wood (Sep 16)
- RE: The lowdown on SSH vulnerability Ivan Dimitrov (Sep 19)
- Re: The lowdown on SSH vulnerability Daniel Berg (Sep 16)
- SSH Vulnerability Dan A. Milisic (Sep 16)
- Re: The lowdown on SSH vulnerability Joe Shevland (Sep 16)
- <Possible follow-ups>
- Re: The lowdown on SSH vulnerability Robert Jaroszuk (Sep 16)
- Re: The lowdown on SSH vulnerability Carl Livitt (Sep 16)