Forum OpenACS Q&A: OpenSSH vulnerability (URGENT)

Collapse
1: OpenSSH vulnerability (URGENT)
Posted by Jon Griffin on 08/02/02 12:49 AM
CERT Advisory CA-2002-24 Trojan Horse OpenSSH Distribution
http://www.openssh.com/txt/trojan.adv

Never trust anyone who says they can't be compromised because of
their superior OS.

Collapse
2: Response to OpenSSH vulnerability (URGENT) (response to 1)
Posted by David Walker on 08/02/02 01:20 AM
Never trust anybody that says they can't be compromised for whatever reason.

You can't blame this one on OpenBSD though according to some of the Slashdot buzz. It is said that OpenBSD downloads are provided via a box running SunOS. (Unless the blackhats broke in via an OpenSSH vulnerability, then we blame the whole thing on the OpenSSH folks.)
Collapse
3: Response to OpenSSH vulnerability (URGENT) (response to 1)
Posted by Jon Griffin on 08/02/02 01:25 AM
If thats the case OK, but still... they talk a lot of crap about security, they should clean thier own house.
Collapse
4: Response to OpenSSH vulnerability (URGENT) (response to 1)
Posted by Patrick Giagnocavo on 08/02/02 01:47 AM
My understanding is that the trojaned part was the code base for non-OpenBSD OpenSSH.  Thus users of OpenBSD would not in any case have been affected.
Collapse
5: Response to OpenSSH vulnerability (URGENT) (response to 1)
Posted by russ m on 08/02/02 05:41 AM
It's not their house - the primary OpenBSD/OpenSSH download
site is donated space on a Sun box at the University of Alberta
(one of the SunSITE machines).  I'm sure that if you were
interested in donating hardware and bandwidth so they could
provide primary downloads from an OpenBSD machine
admined be a team member, Theo would like to hear from you.
Collapse
6: Response to OpenSSH vulnerability (URGENT) (response to 1)
Posted by Louis Zirkel on 08/02/02 05:59 AM
Jon says: Never trust anyone who says they can't be compromised because of their superior OS.

I admit that Theo de Raat (among others) is quite arrogant, but I don't think that's any reason to make such petty comments.

OpenBSD has a noble goal and charter, and regardless of how asinine any of their contributors or leaders may act, I think they are to be congratulated on contributing what they have for the greater good.

zzzirk