Greetings from the east. Many of you may be aware of this already but in any case a new openssh vulnerability was discussed on slashdot[1] yesterday. As of yesterday the vulnerability was not widely known nor widely exploited (as of today I still haven't seen the exploit code myself) and most vendors had not yet released patches. However the beauty of open source is that you can do it yourself.
The OpenSSH people released version 3.7p1 yesterday in response to vulnerability. Almost immediately after releasing 3.7p1, 3.7.1p1 was released which fixes more problems related to the vulnerability. If you are not capable of compiling and installing packages from source, as of today more vendors are making patches available. The Internet Storm Center has a blurb[2] about this issue and pointers to patch locations. CERT released an advisory[3] today and thus this issue is more likely to be widely known about and more likely to be exploited within coming weeks, possibly in a manner similar to the MS Blaster worm or worse. (How about an ssh worm?) I highly suggest reading the advisory and following the steps in the Solution section of the advisory. Upgrade if you can. If you can't upgrade then either disable the ssh service or block untrusted ssh traffic at your firewalls. There is nothing more insulting and embarassing than having your box rooted. Regards, krjw. References: [1]http://slashdot.org/article.pl?sid=03/09/16/1327248&mode=thread&tid=126&tid=172 [2]http://isc.sans.org/diary.html?date=2003-09-16 [3]http://www.cert.org/advisories/CA-2003-24.html PS -- To quote a friend of mine: "DJ Bernstein needs to write an SSH package." -- Keith R. John Warno [k r j w at optonline dot net] In Denver it is unlawful to lend your vacuum cleaner to your next-door neighbor.
