Subject: Upcoming OpenSSH vulnerability
Date: Mon, 24 Jun 2002 15:00:10 -0600
From: Theo de Raadt <XXXXXXXXXXXXXXXXXXXXXXX>
There is an upcoming OpenSSH vulnerability that we're working on
with ISS. Details will be published early next week.
Well, nice to know that “early next week” means “today.” Also nice to know
that the couple of hours I yesterday
could have been fixed with a simple one line configuration change.
I'm of mixed minds about how this was handled. I do think Theo overplayed
his hand in attempting to force one particular way of fixing the problem
with priviledge serparation (which is probably a good idea if the operating
system in question supports it) but given that an exploit in OpenSSH could cause massive
damage, how else can you solve the problem such that the damage is
Hard questions, and that's why I'm of mixed minds (I would have preferred
knowing about the one line configuration change but would have that given
the Black Hats enough of a clue to write an exploit?)
Obligatory Contact Info
You have my permission to link freely to any entry here. Go
ahead, I won't bite. I promise.
The dates are the permanent links to that day's entries (or
entry, if there is only one entry). The titles are the permanent
links to that entry only. The format for the links are
simple: Start with the base link for this site: http://boston.conman.org/, then add the date you are
interested in, say 2000/08/01,
so that would make the final URL:
You can also specify the entire month by leaving off the day
portion. You can even select an arbitrary portion of time.
You may also note subtle shading of the links and that's
intentional: the “closer” the link is (relative to the
page) the “brighter” it appears. It's an experiment in
using color shading to denote the distance a link is from here. If
you don't notice it, don't worry; it's not all that
It is assumed that every brand name, slogan, corporate name,
symbol, design element, et cetera mentioned in these pages is a
protected and/or trademarked entity, the sole property of its
owner(s), and acknowledgement of this status is implied.