lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <009d01c37cab$4df353b0$0100000a@internal.ewise.com>
From: jshevland at ozemail.com.au (Joe Shevland)
Subject: The lowdown on SSH vulnerability

----- Original Message ----- 
From: "Daniel Berg" <daniel@....de>
To: "Carl Livitt" <carl@...rningshophull.co.uk>
Cc: <full-disclosure@...ts.netsys.com>
Sent: Tuesday, September 16, 2003 11:22 PM
Subject: Re: [Full-Disclosure] The lowdown on SSH vulnerability


> Nice conversation, makes clear why Theo is loved by so many people.

Without seeing the original email chain in its entirety, not that I want(ed
in part) to - well, here's a guy thats had very little sleep, has
contributed to the open source community software that thousands use, and is
responsibly trying to fix the problem (probably in the face of an enormous
amount of pressure and outside demands). And he's having his laundry aired
on this list, and then further attacked because he's not being diplomatic
about it?

Unless I'm missing something, is Theo part of a company that is charging
excessive fees for software and services? If he is, then people that
purchase those services of course have a right to ask for personal support
(and expect courteous responses).

> So what we know now is that possibly core devices like Firewalls and
> Switches and whatnot could be attacked as well. Can anyone confirm this?
> Any suggestions on how to workaround this?

Given the protocol, encryption requirements, and nature of problem that
we're talking about, *and* that you've mentioned 'Firewalls' and 'Switches'
and 'whatnot', do you really expect someone to come up with a workaround for
'those' devices? Specific vendors etc are a different matter, as FreeBSD has
shown with its patches.

Cheers,
Joe

>
> Cheers
>
> Daniel
>
>
> On Tue, 2003-09-16 at 14:25, Carl Livitt wrote:
> > Straight from the horses mouth, this is a snippet of an email
conversation I
> > just had with Theo Deraadt:
> >
> > --------------
> > Theo,
> >
> > Is there a patch available to patch the off-by-one that has been
reported in
> > OpenSSH ?  As it is being actively exploited in the wild, I would like
to
> > patch my servers ASAP (as you can probably imagine).
> >
> > Thankyou for taking the time to read - and hopefully respond to - this
email.
> >
> > Kind regards,
> >
> > Carl
> > ---------------
> >
> > A flamefest ensued, but his answer was:
> >
> > Bugger off, wait like the rest of the planet.

Well said.


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ