| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: carl at learningshophull.co.uk (Carl Livitt) Subject: The lowdown on SSH vulnerability There _is_ a patch: http://www.freebsd.org/cgi/cvsweb.cgi/src/crypto/openssh/buffer.c.diff?r1=1.1.1.6&r2=1.1.1.7&f=h Carl. On Tuesday 16 September 2003 12:25, Carl Livitt wrote: > Straight from the horses mouth, this is a snippet of an email conversation > I just had with Theo Deraadt: > > -------------- > Theo, > > Is there a patch available to patch the off-by-one that has been reported > in OpenSSH ? As it is being actively exploited in the wild, I would like > to patch my servers ASAP (as you can probably imagine). > > Thankyou for taking the time to read - and hopefully respond to - this > email. > > Kind regards, > > Carl > --------------- > > A flamefest ensued, but his answer was: > > Bugger off, wait like the rest of the planet. > > ------------- > > After more flaming abuse, I received this from him: > > I have been spending the last 10 days making openbsd releases for > about 14-15 hours a day for people to use > We've been spending hours and hours making openssh release > We are dealing with an, as far as we know, unexploitable hole > (affects some systems, but not openbsd it is pretty clear) issue > for all of you who run other system > we've been dealing with this frantically > to make something that the internet relies on as good > as good as it possibly can be > no sleep for 30 hours > and you expect me to treat you special? > > AND YOU EXPECT ME TO TREAT YOU SPECIAL? > > AND YOU THINK THAT PASTING THAT TO SOME IRC CHANNEL MAKES YOU LOOK > RIGHT? > > and you think that you pasting it to some icb channel makes me feel > worth less, when every single hp and cisco switch containing this code > is likely vulnerable, and i don't like that, and want to make the > world a better place even if it kills me due to stress and lack of > sleep because i think that a better world is a better place to live > my life? > > > The main point is that " every single hp and cisco switch containing this > code is likely vulnerable". Oh dear, this could get nasty.. batten down the > hatches... > > Poor Theo, he needs his rest. > > Carl. > > Carl. > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html -- Carl Livitt IT Manager Changes - The Learning Shop Suite 16, Friary Chambers Whitefriargate Hull, HU1 2HA Tel. (01482) 211758 Fax. (01482) 211012 Email. carl@...rningshophull.co.uk
Powered by blists - more mailing lists