The Desktop Fishbowl
tail -f /dev/mind > blog
 |
Wednesday, 26 June 2002 |
|
There is a remote root exploit in OpenSSH. The whats and whyfors haven't been announced yet, although there's a point-release available that at least turns it from remote-root into remote-get-stuck-in-chroot if your OS supports it.
This is very serious shit. Upgrade to 3.3 now, and upgrade again when the real fix is available. Everybody runs ssh, and pretty much everybody trusts it and leaves it wide open (which itself is a sign of complacency). The moment the cause of this bug is leaked, there's going to be a hundred thousand script kiddies trying every door they can find.
Updated: Okay, now I'm annoyed. I ran around finding patches and upgrading my Debian boxes, only to discover I wasn't vulnerable in the first place. The Debian policy is that all security fixes should be back-ported to whatever version of the application is in the stable tree, ensuring no new, unknown bugs are introduced by the upgrade. By withholding details of the bug, and just saying "Upgrade to v3.3 or you will be sorry!", Theo forced the Debian maintainers to put an unstable, untested package with major known issues in the stable tree, and force everyone to upgrade to it.
It turns out Theo was making use of the panic-value of a root exploit in SSH to ram privilege separation down everyone's throats. Well, either that, or he thought that if OpenBSD was going to have a security hole then damnit, everyone should suffer. 10:42:14 PM 
|
Site Stories Reference Me Others      |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
