[olug] Theo can bite me. [or "OpenSSH Vulnerability"]

Jeff Hinrichs jlh at cox.net
Fri Jun 28 05:15:58 UTC 2002


[...snip...]
> yeah, "Disable option XYZ" woulda been nice... but more mature code? +++
Mature code is better than new code.  Something that's been pounded on and
proven is always better
than brand new code. *Caveat: Unless mature code has big fat security hole
in it<g>  3.4 is such a new critter that is quite unlikely it is as well
tested, especially the seperation feature.  This is a fairly new thing for
the service and from what I've read it doesn't work on all dists yet.

> Perhaps disabling the options is only a 'temporary' fix and should not be
> relied upon that "ok, disabled XYZ.. I'm secure now. = forget about it"?
Disabling an unused feature that has a hole is a valid fix.  And not
necessarily temporary.  If a bucket that you don't use has a whole in it why
replace it? Just get rid of the piece of garbage.  And if you are not going
to use the feature that is at risk you should have it turned off on the
update as well.  Patches should always be considered suspect and the most
likely place to find a new breach.  I can't tell you the number of security
problems M$ has caused itself by enabling everything by default.  Think of
creating a bastion host.  You remove all services that are not needed.
Following this same mind set, you should disable all unused features of the
remaining services.

-Jeff
paranoid is good, just don't shoot your buddy


-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_

For help contact olug-help at olug.org - run by ezmlm
to unsubscribe, send mail to olug-unsubscribe at olug.org
or `mail olug-unsubscribe at olug.org < /dev/null`
(c)1998-2002 OLUG http://www.olug.org

-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_




More information about the OLUG mailing list