Slashdot Mirror


OpenSSH Local Root Hole

maelstrom writes: "Looks like someone's found a local root exploit for OpenSSH versions between 2.0 and 3.0.2. Seems as though its a one-off error, there is no public exploit, but there is sure to be one shortly. They aren't ruling out remote exploit. Recommending patching and upgrading ASAP."

8 of 490 comments (clear)

  1. Re:There goes OpenBSDs slogan... by Chundra · · Score: 4, Funny

    Ummmm, RTFP!

    They aren't ruling out the possibility of a remote exploit.

  2. I can't wait for djbssh by Russ+Nelson · · Score: 5, Funny

    I can't wait for the Daniel J. Bernstein version of ssh.
    -russ

    --
    Don't piss off The Angry Economist
    1. Re:I can't wait for djbssh by Anonymous Coward · · Score: 5, Funny

      you mean the one that requires you to set up 3 accounts for the client, 3 accounts for the server, and comes with its own inetd replacement?

    2. Re:I can't wait for djbssh by biot · · Score: 4, Funny

      It would be incompatible with the rest of the world's ssh implementations, of course, but I guess he'd write a DJB-RFC to take care of that.

  3. Re:Full disclosure = annoying. by Sarin · · Score: 5, Funny

    Nah they don't.;) But I'm working on exploit code as we speak.

  4. Re:smallest possible patch by ghjm · · Score: 3, Funny

    When a single missing '=' can cause a root exploit in code that's generally considered well-written, who are these people that actually entertain the idea that C is the right language to do coding in?

  5. Visual Basic by wiredog · · Score: 5, Funny

    Has all the features any Modern Programmer could want. And it has the Highly Secure .net framework built in. What more could you want?

  6. Re:OpenSSH site already updated? by BlowCat · · Score: 5, Funny
    Good thing that it's not a remote root exploit. Otherwise www.openbsd.org would now read:

    Four days without a remote hole in the default install!

    Not sure if OpenSSH is enabled by default though.