Re: ssh vulnerability in the wild

[Florian Weimer <fw@deneb.enyo.de>]

Josh Carroll <josh.carroll@psualum.com> writes:

> Actually, people have reported that there is an exploit, and in fact
> even OpenBSD is vulnerable.

Yes, I've seen these claims, but you have to keep in mind that not
everyone who posts to mailing lists is entirely honest. 8-)

Early claims such as "*BDDs, GNU/Linux and Solaris are all affected"
should be taken with a grain of salt, especially if a heap-based
overflow is involved.  The malloc() implementations are quite
different, and the *BSDs are less vulnerable to heap corruption than
other systems.

> I would still patch ASAP. Best not to risk it.

If I was still busy recovering from MS03-039, I wouldn't stop this
work in favor of this.  My gut feeling is that it's okay to wait for
vendor patches.

> It's probably a matter of time before a widely available exploit is
> released.

First of all, the bug has to be actually exploitable.  Please keep in
mind that so far, *zero* evidence has been published that this is
actually possible.  If it is exploitable, it has to be an anonymous
exploit (without proper login), unless it won't have a wide-spread
impact.

> I personally would like to see said exploit so I can test my systems
> post-patch.

At least you can use the package version indicator in the reply string
to see which version of the binary is running.