Technical discussion regarding security issues in NetBSD

John Nemeth | 1 Jul 2002 01:46

Picon

Re: rfc2228 in ftpd

On Nov 14,  3:29am, Jason R Thorpe wrote:
} 
} (FreSSH has addressed some of the issues with SSHv1 with some extensions,
} but the FreSSH developers haven't had time to work on FreSSH much for ...
} quite a while, and these extensions only work with FreSSH anyway.)

     The last time there was an OpenSSH issue, the FreSSH developers
said they would try to pick up the pace.  Even with their "famed
auditing", OpenSSH seems to have a serious security hole appear every
couple of months (this doesn't say much about the quality of their
code).  Every time, they do this, I have to update 20+ systems.  Many
of them are unique, so I can't just compile on one machine and sprinkle
it around like magic dust.  Also, given that they sounded a major panic
unnecessarily, I don't trust them.  They made it seem like I had to
update all 20+ systems on the spot, when there was no need to update
any of them, except to make a config change on a handful.  They just
happen to be the best choice available at the moment.  However, I would
really really like an alternative.

}-- End of excerpt from Jason R Thorpe

itojun | 1 Jul 2002 02:22

Re: rfc2228 in ftpd

>it around like magic dust.  Also, given that they sounded a major panic
>unnecessarily, I don't trust them.  They made it seem like I had to
>update all 20+ systems on the spot, when there was no need to update
>any of them, except to make a config change on a handful.  They just
>happen to be the best choice available at the moment.  However, I would
>really really like an alternative.

	there were reasons why they couldn't annouce the config file workaround
	when 3.3 release was made.
	- saying "disabling challenge authenticaiton will make you safe"
	  will make the location of the bug apparent, letting script kiddies
	  create attack code in less than a day
	  (and in fact, did you see posting on bugtraq?  in fact attack
	  code appeared in less than a day)
	- ditto for "disabling protocol version 2"

	i suggested markus to include the reasoning behind the way 3.3 -> 3.4
	upgrade path was annouced.  i think it will help a lot of people to
	understand why it had to be handled this way.

itojun

matthew green | 1 Jul 2002 02:28

Picon

re: rfc2228 in ftpd


   >it around like magic dust.  Also, given that they sounded a major panic
   >unnecessarily, I don't trust them.  They made it seem like I had to
   >update all 20+ systems on the spot, when there was no need to update
   >any of them, except to make a config change on a handful.  They just
   >happen to be the best choice available at the moment.  However, I would
   >really really like an alternative.

   	there were reasons why they couldn't annouce the config file workaround
   	when 3.3 release was made.
   	- saying "disabling challenge authenticaiton will make you safe"
   	  will make the location of the bug apparent, letting script kiddies
   	  create attack code in less than a day
   	  (and in fact, did you see posting on bugtraq?  in fact attack
   	  code appeared in less than a day)
   	- ditto for "disabling protocol version 2"

   	i suggested markus to include the reasoning behind the way 3.3 -> 3.4
   	upgrade path was annouced.  i think it will help a lot of people to
   	understand why it had to be handled this way.

i will never understand why it had to be handled that way.  it was
*SO EASY* for me to go to all my machines and turn off skey.  it
had started to prove to be a REAL PAIN IN THE ASS to update them
to a newer version (that STILL included the problem) that i'm not
sure i'd done more than 1 machine before the ISS advisory came out
and the sane workaround became known.

protect the users?  this sounds so much like "protect the children"
to me it makes me sick.

(Continue reading)

Jason R Thorpe | 1 Jul 2002 02:41

Re: rfc2228 in ftpd

On Mon, Jul 01, 2002 at 09:22:30AM +0900, itojun <at> iijlab.net wrote:

 > 	there were reasons why they couldn't annouce the config file workaround
 > 	when 3.3 release was made.

There is NO reason that this work around could not have been disclosed
by the OpenSSH developers through the appropriate channels (e.g. CERT, who
then privately communicates with the security contacts of the various other
organizations).  There was also no reason not to provide a patch against
older versions of OpenSSH which fixed the problem through those same channels.

This would have allowed:

	* Projects such as NetBSD and FreeBSD to (silently) protect their
	  servers.

	* Software vendors to have new binaries, patches, whatever available
	  when the advisory is made public.  Again, this could have been
	  done silently, without the general public's knowledge.

	* Vendors to determine that no action is necessary on their part
	  based on how their software is configured.  Again, this can take
	  place without the general public's knowledge.

Instead, what happened is that a rumor of a nasty exploit was floated, with
the suggestion to upgrade to a new version (which includes new, non-mature
code, something which is especially dangerous to do, considering the security-
sensitive nature of the code in question), and a general sense of panic in the
community.

(Continue reading)

Bill Sommerfeld | 1 Jul 2002 02:46

Picon

Re: rfc2228 in ftpd

> 	i suggested markus to include the reasoning behind the way 3.3 -> 3.4
> 	upgrade path was annouced.  i think it will help a lot of people to
> 	understand why it had to be handled this way.

The reasoning was clear but unreasonable..

The idea that a significant fraction of end users could just
immediately drop everything and upgrade to 3.3 is completely
ridiculous...  particularly since the "privilege separation" features
necessary to defend against the unmentionable bug were *advertised* as
having functional regressions!

					- Bill

Jason R Thorpe | 1 Jul 2002 03:11

Re: rfc2228 in ftpd

On Sun, Jun 30, 2002 at 07:01:36PM -0600, Theo de Raadt wrote:

 > Why are you bothering to have this witch-hunt conversation when our
 > responses are censored?

If your responses would actually address the issues outlined, then the
moderator of the list will certainly let them through.  However, it is
precisely the fact that they consistently do NOT stay on-topic that
they're not generally passed on.

--

-- 
        -- Jason R. Thorpe <thorpej <at> wasabisystems.com>

itojun | 1 Jul 2002 03:37

Re: rfc2228 in ftpd

>Itojun and I) dislosed in 6 hours instead of via CERT because it
>became clear to us that FreeBSD and NetBSD security officers were BUSY
>LEAKING THE INFORMATION?!?  (I do not intend to play that blame game

	correction - NetBSD security officers did not leak any
	info (in fact, i did not even inform them until the rumor was injected
	into security-alert <at> netbsd from other side)

itojun

Theo de Raadt | 1 Jul 2002 03:01

Picon

Re: rfc2228 in ftpd

Why are you bothering to have this witch-hunt conversation when our
responses are censored?

Theo de Raadt | 1 Jul 2002 03:42

Picon

Re: rfc2228 in ftpd

Jason, please do not make false statements like this.

4 messages directly on topic were not sent through until I asked for
them to be sent through.  Then they were sent through.  Was sending
them through a mistake, or was blocking them a mistake?  Can you
please clarify?

Hugh's messages in port-vax with booting bug fixes were also censored
and he had to replace his email address.

This is a message which was blocked until after:

    http://mail-index.netbsd.org/tech-security/2002/06/27/0016.html

Was this above message not relevant?

It was in response to this message:

    http://mail-index.netbsd.org/tech-security/2002/06/27/0008.html

Does this above message meet the requirements, where mine doesn't?

> On Sun, Jun 30, 2002 at 07:01:36PM -0600, Theo de Raadt wrote:
> 
>  > Why are you bothering to have this witch-hunt conversation when our
>  > responses are censored?
> 
> If your responses would actually address the issues outlined, then the
> moderator of the list will certainly let them through.  However, it is
> precisely the fact that they consistently do NOT stay on-topic that

(Continue reading)

Theo de Raadt | 1 Jul 2002 03:34

Picon

Re: rfc2228 in ftpd

> > 	i suggested markus to include the reasoning behind the way 3.3 -> 3.4
> > 	upgrade path was annouced.  i think it will help a lot of people to
> > 	understand why it had to be handled this way.
> 
> The reasoning was clear but unreasonable..
> 
> The idea that a significant fraction of end users could just
> immediately drop everything and upgrade to 3.3 is completely
> ridiculous...

Well, I heard from one Fortune 100 company that updated 2300 machines
to 3.3 in 15 hours and accepted the functional problems for the 4 day
window; a very major foreign government agency that filtered protocol
22 on all of their core routers; a large ISP that went through their
sshd_config files and cut down the functionality as much as possible
(and luckily made the right guesses, without any disclosure hints from
me -- they asked "did we limit it enough?" and I said "perhaps.  I
cannot disclose" and they replied "we understand, thanks, we're going
to stick with this stance."), and also from hundreds of individual and
corporate users of unknown size, who disabled or filtered it in some
ways.  SPRINT NOC called me at home and asked some questions,
apparently they realized that our machines are on their network, and
wanted to make sure they would not suffer from this and stop us from
releasing a new version -- that was a real wow moment.  I have
received hundreds and hundreds of mails about this.

That is a very significant community that were fore-warned.

For those who couldn't respond with taking a security stance, I am
sorry.  Their situation is no different than no warning before

(Continue reading)

Group

gmane.os.netbsd.devel.security.

Advertisement

Search Archive

Page

1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10

Articles in period: 92

July 2002

Language

Change language

Options

Current view: Threads only / Showing only 20 lines / Not hiding cited text.
Change to All messages, whole messages, or hide cited text.

Post a message
NNTP Newsgroup
Classic Gmane web interface
XML

XML

RSS Feed
List Information

About Gmane

Recent entries

$fetch_pkg_vulnerabilities warning from /etc/daily (12 Jun 2013)
Potwierdz swoje konto (31 May 2013)
[GSoC 2013] Implement file system flags to scrub data blocks before de (30 Apr 2013)
regarding project to"Implement file system flags to scrub data blocks (14 Apr 2013)
Google Summer of Code 2013. (13 Apr 2013)
OpenCrypto swcrypto(4) enhancements (10 Apr 2013)
NetBSD Security Advisory 2013-003: RNG Bug May Result in Weak Cryptogr (30 Mar 2013)
ECDSA and key leaks due to RNG problems. (25 Mar 2013)
Updated NetBSD Security Advisory 2013-003: RNG Bug May Result in Weak (7 Mar 2013)
NetBSD Security Advisory 2013-003: Pseudo-Random bits weaker than expe (27 Feb 2013)
NetBSD Security Advisory 2013-004: Vulnerabilities in grep (27 Feb 2013)
NetBSD Security Advisory 2013-002: kqueue related kernel panic trigger (27 Feb 2013)
You have (1) new ecard! (26 Feb 2013)
You have (1) new ecard! (8 Feb 2013)
Invitation to Bid - Jared #2528 - Evansville, IN (30 Jan 2013)
Notice of Addendum #: 1 - Oregon Park District (29 Jan 2013)
Invitation to Bid - Spencer Gifts #205 - St. Clair Square (29 Jan 2013)
NetBSD Security Advisory 2013-001: kernel panic triggered from userlan (29 Jan 2013)
Your Blue Book Network Project Leads ( MREF#188430675 ) (27 Jan 2013)
� Last day to save on our website presence package (25 Jan 2013)
Analyst Report: Understanding Responsive Design (25 Jan 2013)

Archives

13	June 2013
3	May 2013
6	April 2013
3	March 2013
6	February 2013
16	January 2013
6	December 2012
28	November 2012
6	October 2012
4	September 2012
2	August 2012
20	July 2012
12	June 2012
4	May 2012
4	April 2012
10	March 2012
16	December 2011
2	November 2011
2	October 2011
1	September 2011
7	August 2011
1	July 2011
3	June 2011
1	May 2011
16	April 2011
2	March 2011
3	February 2011
3	January 2011
2	December 2010
13	November 2010
9	October 2010
10	September 2010
3	August 2010
4	July 2010
1	June 2010
9	April 2010
1	March 2010
11	February 2010
7	January 2010
10	December 2009
2	November 2009
1	October 2009
1	August 2009
12	July 2009
11	June 2009
8	May 2009
7	April 2009
38	March 2009
10	February 2009
19	January 2009
3	December 2008
16	November 2008
11	October 2008
2	September 2008
17	August 2008
18	July 2008
14	June 2008
16	May 2008
6	April 2008
7	March 2008
7	February 2008
37	January 2008
27	December 2007
12	November 2007
12	October 2007
3	September 2007
11	August 2007
12	July 2007
50	June 2007
7	May 2007
2	April 2007
12	March 2007
73	February 2007
32	January 2007
55	December 2006
61	November 2006
28	October 2006
37	September 2006
71	August 2006
18	July 2006
8	June 2006
6	May 2006
22	April 2006
97	March 2006
59	February 2006
111	January 2006
45	December 2005
45	November 2005
41	October 2005
54	September 2005
113	August 2005
107	July 2005
46	June 2005
27	May 2005
87	April 2005
163	March 2005
21	February 2005
30	January 2005
9	December 2004
73	November 2004
10	October 2004
4	September 2004
8	August 2004
62	June 2004
85	May 2004
35	April 2004
28	March 2004
15	February 2004
12	December 2003
21	November 2003
23	October 2003
246	September 2003
27	August 2003
16	July 2003
58	June 2003
22	May 2003
20	April 2003
36	March 2003
3	February 2003
31	January 2003
27	December 2002
56	November 2002
179	October 2002
67	September 2002
87	August 2002
92	July 2002
143	June 2002
87	May 2002
75	April 2002
1	March 2002

Design

Zawodny | Right Menu | Left Menu

Your Own Design

Paste the URL of your CSS below. Download CSS template