**To:** [a whole lot of lists] > **Subject:** Upcoming OpenSSH vulnerability > **Date:** Mon, 24 Jun 2002 15:00:10 -0600 > **From:** Theo de Raadt <XXXXXXXXXXXXXXXXXXXXXXX>
There is an upcoming OpenSSH vulnerability that we're working on with ISS. Details will be published early next week.
Upcoming OpenSSH vulnerability [1]
Well, nice to know that “early next week” means “today [2].” Also nice to know that the couple of hours I yesterday [3] could have been fixed with a simple one line configuration change. [4]
I'm of mixed minds about how this was handled. I do think Theo overplayed his hand in attempting to force one particular way of fixing the problem with priviledge serparation (which is probably a good idea if the operating system in question supports it) but given that an exploit in OpenSSH [5] could cause massive damage, how else can you solve the problem such that the damage is minimized?
Hard questions, and that's why I'm of mixed minds (I would have preferred knowing about the one line configuration change but would have that given the Black Hats enough of a clue to write an exploit?)
[1] http://www.linuxweeklynews.com/Articles/3322/
[2] http://www.openssh.org/txt/iss.adv