As most of you have probably heard by now a buffer overflow has been found in ssh. To stop us from being flooded with questions here is some more information: the IBM Emergency Response Team has found a buffer overflow in the logging code of ssh. It is not known if this is what was used to break into rootshell on October 28 at this moment. Prelimenary packages with a fix, based on a patch by Simon Kirby <sim@netnation.com>, are currently available at two locations: http://www.wi.leidenuniv.nl/~wichert/ssh/ http://amber.deltatee.com/~jgg Another fix is to add the -q option to sshd, which disables the logging code in sshd. Please note that these packages are not official fixes and have not received enough testing. When the fixed packages are uploaded and installed we will make a proper announcement. Wichert. -- Debian GNU/Linux . Security Managers . security@debian.org debian-security-announce@lists.debian.org Christian Hudon . Wichert Akkerman . Martin Schulze <chrish@debian.org> . <wakkerma@debian.org> . <joey@debian.org>
Attachment:
pgpaNYGRDB2qX.pgp
Description: PGP signature