Re: ssh vulnerability in the wild
Josh Carroll <josh.carroll@psualum.com> writes:
> Actually, people have reported that there is an exploit, and in fact
> even OpenBSD is vulnerable.
Yes, I've seen these claims, but you have to keep in mind that not
everyone who posts to mailing lists is entirely honest. 8-)
Early claims such as "*BDDs, GNU/Linux and Solaris are all affected"
should be taken with a grain of salt, especially if a heap-based
overflow is involved. The malloc() implementations are quite
different, and the *BSDs are less vulnerable to heap corruption than
other systems.
> I would still patch ASAP. Best not to risk it.
If I was still busy recovering from MS03-039, I wouldn't stop this
work in favor of this. My gut feeling is that it's okay to wait for
vendor patches.
> It's probably a matter of time before a widely available exploit is
> released.
First of all, the bug has to be actually exploitable. Please keep in
mind that so far, *zero* evidence has been published that this is
actually possible. If it is exploitable, it has to be an anonymous
exploit (without proper login), unless it won't have a wide-spread
impact.
> I personally would like to see said exploit so I can test my systems
> post-patch.
At least you can use the package version indicator in the reply string
to see which version of the binary is running.
Reply to: