I caught this note on another SAGE local's mailing list. Keep an eye out for confirmation, and be ready to make your own informed decision or evaluation of any threats involved. The link provided is to an alleged archive of the openssh-unix-annouce mailing list, so we should be able to cross-check the original note from Theo...
Ah... I've gotten a very vague but similar warning w/o any details on the netbsd-announce list an hour ago. From: "Luke Boyett" <[EMAIL PROTECTED]> Date: Mon, 24 Jun 2002 19:11:38 -0400 (EDT) A significant OpenSSH vulnerability is expected be published at the end of this week. Apparently, it's remotely exploitable. The latest release of OpenSSH (v3.3) includes privilege separation by default, which will mitigate this and all future vulnerabilities in OpenSSH. So I'd urge you all to upgrade to the newest OpenSSH very soon. If you are not comfortable upgrading from source, please speak/correspond with your OS/distribution vendor about integrating and packaging this new version as soon as possible. For more details from one of the OpenSSH lead developers, see: http://www.mindrot.org/pipermail/openssh-unix-announce/2002-June/000041.html -Luke Boyett --- Send mail for the `bblisa' mailing list to `[EMAIL PROTECTED]'. Mail administrative requests to `[EMAIL PROTECTED]'.
