lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1063718544.563.204.camel@bsdbox.rue.de.eds.com>
From: daniel at eds.de (Daniel Berg)
Subject: The lowdown on SSH vulnerability

Nice conversation, makes clear why Theo is loved by so many people.

So what we know now is that possibly core devices like Firewalls and
Switches and whatnot could be attacked as well. Can anyone confirm this?
Any suggestions on how to workaround this?

Cheers

Daniel


On Tue, 2003-09-16 at 14:25, Carl Livitt wrote:
> Straight from the horses mouth, this is a snippet of an email conversation I 
> just had with Theo Deraadt:
> 
> --------------
> Theo,
> 
> Is there a patch available to patch the off-by-one that has been reported in 
> OpenSSH ?  As it is being actively exploited in the wild, I would like to 
> patch my servers ASAP (as you can probably imagine).
> 
> Thankyou for taking the time to read - and hopefully respond to - this email.
> 
> Kind regards,
> 
> Carl
> ---------------
> 
> A flamefest ensued, but his answer was:
> 
> Bugger off, wait like the rest of the planet.
> 
> -------------
> 
> After more flaming abuse, I received this from him:
> 
> I have been spending the last 10 days making openbsd releases for
> about 14-15 hours a day for people to use
> We've been spending hours and hours making openssh release
> We are dealing with an, as far as we know, unexploitable hole
> (affects some systems, but not openbsd it is pretty clear) issue
> for all of you who run other system
> we've been dealing with this frantically
> to make something that the internet relies on as good
> as good as it possibly can be
> no sleep for 30 hours
> and you expect me to treat you special?
> 
> AND YOU EXPECT ME TO TREAT YOU SPECIAL?
> 
> AND YOU THINK THAT PASTING THAT TO SOME IRC CHANNEL MAKES YOU LOOK
> RIGHT?
> 
> and you think that you pasting it to some icb channel makes me feel
> worth less, when every single hp and cisco switch containing this code
> is likely vulnerable, and i don't like that, and want to make the
> world a better place even if it kills me due to stress and lack of
> sleep because i think that a better world is a better place to live
> my life?
> 
> 
> The main point is that " every single hp and cisco switch containing this code 
> is likely vulnerable". Oh dear, this could get nasty.. batten down the 
> hatches... 
> 
> Poor Theo, he needs his rest.
> 
> Carl.
> 
> Carl.
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ