Re: cvs-nserver and latest CVS advisory (Was: patch to make CVS chroot)

[Justin Wells]

On Fri, Aug 11, 2000 at 04:03:03PM -0400, Greg A. Woods wrote:

> > And the risk that I'll be attacked by a bug in the auth code is much less
> > than the risk that I'll be attacked by a properly authorized user.
> 
> This would be true if it were completely true, but without SSH you do
> not have a properly authorised user 

Let me put it this way: the risk that I will be attacked by an authorized
user, even if authorized via ssh, is much higher than the risk that someone
will find a bug in the setuid auth code.

> Please don't make blatantly false claims about security related issues!

Words for you to live by too.

Justin