[luau] openssh vulnerability

Keith krjw at optonline.net
Wed Sep 17 10:04:00 PDT 2003


Greetings from the east.

Many of you may be aware of this already but in any case a new openssh
vulnerability was discussed on slashdot[1] yesterday.  As of yesterday the
vulnerability was not widely known nor widely exploited (as of today I
still haven't seen the exploit code myself) and most vendors had not yet
released patches.  However the beauty of open source is that you can do
it yourself.

The OpenSSH people released version 3.7p1 yesterday in response to
vulnerability.  Almost immediately after releasing 3.7p1, 3.7.1p1 was
released which fixes more problems related to the vulnerability.

If you are not capable of compiling and installing packages from source,
as of today more vendors are making patches available.  The Internet
Storm Center has a blurb[2] about this issue and pointers to patch
locations.

CERT released an advisory[3] today and thus this issue is more likely to
be widely known about and more likely to be exploited within coming
weeks, possibly in a manner similar to the MS Blaster worm or worse.
(How about an ssh worm?)  I highly suggest reading the advisory and
following the steps in the Solution section of the advisory.

Upgrade if you can.  If you can't upgrade then either disable the ssh
service or block untrusted ssh traffic at your firewalls.  There is
nothing more insulting and embarassing than having your box rooted.

Regards,
krjw.

References:
[1]http://slashdot.org/article.pl?sid=03/09/16/1327248&mode=thread&tid=126&tid=172
[2]http://isc.sans.org/diary.html?date=2003-09-16
[3]http://www.cert.org/advisories/CA-2003-24.html


PS -- To quote a friend of mine: "DJ Bernstein needs to write an SSH
package."

-- 
Keith R. John Warno                  [k r j w  at  optonline dot net]
In  Denver  it is  unlawful  to  lend  your  vacuum cleaner  to  your
next-door neighbor.



More information about the LUAU mailing list