Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

RE: The lowdown on SSH vulnerability

From: "Andy Wood" <andy () digitalindustry org>
Date: Tue, 16 Sep 2003 09:16:42 -0400
        Well maybe he's had to answer 10,000,000 email on it, which if he
doesn't respond he'll get the same press as you're giving up.  Maybe he's
swamped with other contributions to the computing industry. Seeing that yer
so tireless why don't you learn to write patches instead of just squawking
about it.


-----Original Message-----
From: full-disclosure-admin () lists netsys com
[mailto:full-disclosure-admin () lists netsys com] On Behalf Of Carl Livitt
Sent: Tuesday, September 16, 2003 8:26 AM
To: full-disclosure () lists netsys com


Straight from the horses mouth, this is a snippet of an email conversation I
just had with Theo Deraadt:

--------------
Theo,

Is there a patch available to patch the off-by-one that has been reported in
OpenSSH ?  As it is being actively exploited in the wild, I would like to
patch my servers ASAP (as you can probably imagine).

Thankyou for taking the time to read - and hopefully respond to - this
email.

Kind regards,

Carl
---------------

A flamefest ensued, but his answer was:

Bugger off, wait like the rest of the planet.

-------------

After more flaming abuse, I received this from him:

I have been spending the last 10 days making openbsd releases for about
14-15 hours a day for people to use We've been spending hours and hours
making openssh release We are dealing with an, as far as we know,
unexploitable hole (affects some systems, but not openbsd it is pretty
clear) issue for all of you who run other system we've been dealing with
this frantically to make something that the internet relies on as good as
good as it possibly can be no sleep for 30 hours and you expect me to treat
you special?

AND YOU EXPECT ME TO TREAT YOU SPECIAL?

AND YOU THINK THAT PASTING THAT TO SOME IRC CHANNEL MAKES YOU LOOK RIGHT?

and you think that you pasting it to some icb channel makes me feel worth
less, when every single hp and cisco switch containing this code is likely
vulnerable, and i don't like that, and want to make the world a better place
even if it kills me due to stress and lack of sleep because i think that a
better world is a better place to live my life?


The main point is that " every single hp and cisco switch containing this
code is likely vulnerable". Oh dear, this could get nasty.. batten down the
hatches... 

Poor Theo, he needs his rest.

Carl.

Carl.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.518 / Virus Database: 316 - Release Date: 9/11/2003
 

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.518 / Virus Database: 316 - Release Date: 9/11/2003
 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: