Free, super-effective security tip: Cut half your features. 95% of your users will never notice.
Then do it again.
I try to live by the mantra “Do it simply and make it composable.” I really wish more of the big projects would do the same.
Advisory from Qualys
Shameless plug, but M:Tier has released binpatches already:
I’m a little disappointed by the original handling of the vulnerability (at least prior to release).
Simple telling people to add the undocumented UseRoaming no to their local config with no context seems pretty poor and encourages what is a bad practice, even with the best of intentions.
What would you have done?
Obviously there should have been a new release that documented the feature, then an announcement telling people to turn it off.
And on the OpenBSD-misc mailing list https://marc.info/?l=openbsd-misc&m=145278077920530&w=2
What is this feature? I don’t see it plugged in to anything, but maybe I suck at searching:
EDIT: Now that the patch went out I can see why my search wasn’t working. s/UseRoaming/use_roaming/
It’s undocumented. edit: oh, I misunderstood your question, sorry!
I can’t even find it being used in the code.
More information and a patch is now available via undeadly. The commit message:
Disable experimental client-side roaming support. Server side was
disabled/gutted for years already, but this aspect was surprisingly
forgotten. Thanks for report from Qualys
Experimental broken code enabled in release versions!? So much for the audit process.
Default install has a hole and they initially refused to disclose it despite supposedly believing in full disclosure. It would probably be a good idea to admit to both of these things.
Apparently you’re relying on ASLR (which can be broken) and malloc’s features (most of which are not enabled by default and sometimes do not apply).
Default install has a hole and they initially refused to disclose it despite supposedly believing in full disclosure.
Where did you get that information from?
The initial information was to add the undocumented “UseRoaming no” to ssh_config, with no other information provided on the “upcoming” CVE. This occurred (at least 5 hours?) before a fix was committed.
http://www.openbsd.org/security.html has a whole section on Full Disclosure.
And you seriously thought that no other information was going to be made available?
The “initial information” was in no way an attempt to “refuse to disclose it”, it was a heads up to try to protect as many people as possible with a quick fix before a proper one could be made (ripping out the code), which included coordinating a proper release between a number of people in different countries.
“Full disclosure” does not mean “instantly release all details to everyone with no warning.” Most people involved in security would probably agree with that. Full disclosure can take time, as long as everything is eventually released.
I have no idea how one could interpret “here’s a workaround for a forthcoming bug” as “we refuse to disclose this bug”.
If this was a bug in Linux, we would never hear the end of the smugness from OpenBSD devs.
methinks scarlett might have an agenda to push…
Instead of calling me a troll please explain what you think is wrong with my comment.