[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] The lowdown on SSH vulnerability

To: full-disclosure@xxxxxxxxxxxxxxxx
Subject: Re: [Full-Disclosure] The lowdown on SSH vulnerability
From: Carl Livitt <carl@xxxxxxxxxxxxxxxxxxxxxx>
Date: Tue, 16 Sep 2003 13:09:18 +0000

There _is_ a patch:

http://www.freebsd.org/cgi/cvsweb.cgi/src/crypto/openssh/buffer.c.diff?r1=1.1.1.6&r2=1.1.1.7&f=h

Carl.

On Tuesday 16 September 2003 12:25, Carl Livitt wrote:
> Straight from the horses mouth, this is a snippet of an email conversation
> I just had with Theo Deraadt:
>
> --------------
> Theo,
>
> Is there a patch available to patch the off-by-one that has been reported
> in OpenSSH ?  As it is being actively exploited in the wild, I would like
> to patch my servers ASAP (as you can probably imagine).
>
> Thankyou for taking the time to read - and hopefully respond to - this
> email.
>
> Kind regards,
>
> Carl
> ---------------
>
> A flamefest ensued, but his answer was:
>
> Bugger off, wait like the rest of the planet.
>
> -------------
>
> After more flaming abuse, I received this from him:
>
> I have been spending the last 10 days making openbsd releases for
> about 14-15 hours a day for people to use
> We've been spending hours and hours making openssh release
> We are dealing with an, as far as we know, unexploitable hole
> (affects some systems, but not openbsd it is pretty clear) issue
> for all of you who run other system
> we've been dealing with this frantically
> to make something that the internet relies on as good
> as good as it possibly can be
> no sleep for 30 hours
> and you expect me to treat you special?
>
> AND YOU EXPECT ME TO TREAT YOU SPECIAL?
>
> AND YOU THINK THAT PASTING THAT TO SOME IRC CHANNEL MAKES YOU LOOK
> RIGHT?
>
> and you think that you pasting it to some icb channel makes me feel
> worth less, when every single hp and cisco switch containing this code
> is likely vulnerable, and i don't like that, and want to make the
> world a better place even if it kills me due to stress and lack of
> sleep because i think that a better world is a better place to live
> my life?
>
>
> The main point is that " every single hp and cisco switch containing this
> code is likely vulnerable". Oh dear, this could get nasty.. batten down the
> hatches...
>
> Poor Theo, he needs his rest.
>
> Carl.
>
> Carl.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

-- 
Carl Livitt
IT Manager
Changes - The Learning Shop
Suite 16, Friary Chambers
Whitefriargate
Hull, HU1 2HA

Tel. (01482) 211758
Fax. (01482) 211012
Email. carl@xxxxxxxxxxxxxxxxxxxxxx

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Follow-Ups:
- Re: [Full-Disclosure] The lowdown on SSH vulnerability
  - From: B.K. DeLong
- Re: [Full-Disclosure] The lowdown on SSH vulnerability
  - From: Mark Vevers

References:
- [Full-Disclosure] The lowdown on SSH vulnerability
  - From: Carl Livitt

Prev by Date: [Full-Disclosure] Global *.net XSS, thank you Verisign(TM)
Next by Date: Re: [Full-Disclosure] Blocking Music Sharing.
Previous by thread: [Full-Disclosure] The lowdown on SSH vulnerability
Next by thread: Re: [Full-Disclosure] The lowdown on SSH vulnerability
Index(es):
- Date
- Thread