On Fri, 15 Mar 2002, Bill Crawford wrote:
> On Thu, 14 Mar 2002, Rick Warner wrote:
> The openssh issue was fixed by a one line patch, indeed a single
> character change, which because of the "open" nature of the source
> could be applied by anyone with a text editor and the ability to
> type. The zlib issue was apparently very difficult to exploit.
>
> I think the chief danger with SSH is that using it can engender a
> kind of complacency with regard to security.
There is one other major security issue with SSH - it allows users the
ability to circumvent other security. The fact that if you open up
SSH into your network then any user can tunnel any traffic he wants into
your network is a major flaw. SSH would be a much more acceptable tool if
the tunneling feature was disconnected from the rest.
And the fact that last weeks fix was a one line patch is irrelevant. Size
does not matter in this case; if it is exploitable it is exploitable and
that is a problem whether the fix is one character or a million
lines. The person who cracks into your network is not going to care that
you could have fixed it with a one character patch - they are in and have
control.
- rick -
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
