AF:
NF:0
PS:10
SRH:1
SFN:
DSR:
MID:<20070906121805.21fa612b@ripper.onstor.net>
CFG:
PT:0
S:andy.sharp@onstor.com
RQ:
SSV:onstor-exch02.onstor.net
NSV:
SSH:
R:<jwatson@css.glasshouse.com>
MAID:1
X-Sylpheed-Privacy-System:
X-Sylpheed-Sign:0
SCF:#mh/Mailbox/sent
RMID:#imap/andys@onstor.net@onstor-exch02.onstor.net/INBOX	0	007f01c7f093$b0a32890$915f3090@glasshousetech.com
X-Sylpheed-End-Special-Headers: 1
Date: Thu, 6 Sep 2007 12:18:14 -0700
From: Andrew Sharp <andy.sharp@onstor.com>
To: "Jeff Watson" <jwatson@css.glasshouse.com>
Subject: Re: what version of OpenSSH are you running on the new 3.0.1.0
 code?
Message-ID: <20070906121814.0e1c4232@ripper.onstor.net>
In-Reply-To: <007f01c7f093$b0a32890$915f3090@glasshousetech.com>
References: <20070906072845.2dcbec72@ripper.onstor.net>
	<007f01c7f093$b0a32890$915f3090@glasshousetech.com>
Organization: Onstor
X-Mailer: Sylpheed-Claws 2.6.0 (GTK+ 2.8.20; x86_64-pc-linux-gnu)
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

you're right, the techincal term is "commando" ~:^)

On Thu, 6 Sep 2007 10:39:11 -0400 "Jeff Watson"
<jwatson@css.glasshouse.com> wrote:

> Andy,
> 
> I have to got ask this.  :) 
> 
> Is bare-assed a technical term?
> 
> :)  :)  :)
> 
> Jeff Watson
> Manager, Customer Support Services
> GlassHouse Technologies, Inc.
> O: 919-767-5744
> C: 919-349-0325
> F: 919-767-5799
> jwatson@css.glasshouse.com
> 
> -----Original Message-----
> From: Andrew Sharp [mailto:andy.sharp@onstor.com] 
> Sent: Thursday, September 06, 2007 10:29 AM
> To: Fred D. McFadden
> Cc: 'dl-cstech'
> Subject: Re: what version of OpenSSH are you running on the new
> 3.0.1.0 code?
> 
> Please remember that these machines are not meant to be run bare-assed
> on the internet, but as internal appliances where their environment is
> tightly controlled.
> 
> That being said, there are many very large, real, security holes in
> our product besides this theoretical security hole.  Theoretical
> because it has probably never been actually exploited even to crash
> the ssh server, and because of the highly inflamitory "...possibly
> execute arbitrary code..." which is obvious theoretical on it's best
> day.
> 
> Cheers,
> 
> a
> 
> On Thu, 6 Sep 2007 09:54:35 -0400 "Fred D. McFadden"
> <fredm@css.glasshouse.com> wrote:
> 
> > Customer asks the below, can anyone answer? Thanks -Fred
> > ---------------
> > A new comment has been added to case 5806 by Server Manager.
> > https://ssl.salesforce.com/500000000015x3tAAA
> > 
> > ---------------- Comment: ---------------- Michael,
> > 
> > BTW, what version of OpenSSH are you running on the new 3.0.1.0
> > code? Because OpenSSH 4.4 and earlier contain a signal handler race
> > condition in the GSSAPI functionality which can lead to memory
> > beeing free()'d twice. This flaw allows a remote attacker to crash
> > the OpenSSH service and possibly execute arbitrary code on the
> > server.
> > 
> > Thanks,
> > 
> > Yong
> > 
> > 
> 
> 
