Friday 16 May 2008

Yet more on the Debian OpenSSL bug

OpenSSL's Ben Laurie posted a lengthy comment about the bug and the various issues pertaining to it that clearly annoy him significantly. I'm not really qualified to comment on most of his points but this one is a real killer:

...my objection to the fix Debian put in place has been misunderstood. The issue is not that they did not fully reverse their previous patch - as I say above, the second removal is actually fine. My issue is that it was committed to a public repository five days before an advisory was issued. Only a single attacker has to notice that and realise its import in order to start exploiting vulnerable systems - and I will be surprised if that has not happened.

The spike in OpenSSH attacks that DShield detected earlier in the week indicates to me that he is dead right here - it now seems very likely to me that someone with malign intent did notice the unexplained patch and was attempting to exploit it. Posting a patch for a vulnerability as serious as this without publishing an advisory about it is pretty reckless IMO.

No comments: