Bug#327233: Any movement on this?

2005-11-28 Thread Russ Allbery
Micah Anderson [EMAIL PROTECTED] writes:

 I'm just sending a ping to find out if there has been any movement on
 this issue.

 Back in September you wrote:

 This is absolutely fantastic news.  As soon as I get some more free
 time, I'll try the new packages and look at what the transition will
 entail. Getting back to one set of SSH packages will make life far
 easier for everyone.

Hi Micah,

As Sam mentions, it's not at all clear to either of us that this is
actually a bug.  I don't really understand why this was considered a
security issue; the only possible attack that I can see should be
prevented by SSH's standard known hosts handling.  Perhaps that wasn't
considered a sufficient test?

Anyway, I've been rather busy with various projects, so I haven't yet had
a chance to write up a migration plan for eliminating the openssh-krb5
package.  Given the controversial and low-impact nature of this
vulnerability, though, I'd still rather proceed with that than upload a
new release with this patch.  I'll try to write up a migration proposal
this week and start the discussion with the OpenSSH maintainers.

Thank you for the reminder!

-- 
Russ Allbery ([EMAIL PROTECTED])   http://www.eyrie.org/~eagle/


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]



Bug#327233: Any movement on this?

2005-11-27 Thread Micah Anderson
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


Hi,

I'm just sending a ping to find out if there has been any movement on
this issue.

Back in September you wrote:

This is absolutely fantastic news.  As soon as I get some more free
time, I'll try the new packages and look at what the transition will
entail. Getting back to one set of SSH packages will make life far
easier for everyone.

Sorry to be irritating, but we track these bugs in Testing Security and
many times people forget about them and find a ping actually helpful to
remind them...

micah


-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDifjB9n4qXRzy1ioRAqYyAJ9nH3oJCEiVW3AltOm7vZb7hFwRLgCgkoYx
miYyrq/goQe3+d7116Zxe5c=
=z59H
-END PGP SIGNATURE-


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]



Bug#327233: Any movement on this?

2005-11-27 Thread Sam Hartman
 Micah == Micah Anderson [EMAIL PROTECTED] writes:

Micah Hi,

Micah I'm just sending a ping to find out if there has been any
Micah movement on this issue.

I continue to believe that this is not a security issue and that
openssh is wrong to have applied the patch.

That doesn't answer the question you asked (Russ has been working on
that, not I) but it does argue that perhaps this is not an issue for
testing security.

--Sam



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]