Slashdot Mirror

← Back to Stories (view on slashdot.org)

OpenSSH Vulnerability Disclosed, Version 3.4 Released

Posted by timothy on from the quick-turnaround dept.

Dan writes: "OpenSSH 3.4 has been released and will be shortly available on all mirrors. All versions of OpenSSH's sshd between 2.9.9 and 3.3 contain an input validation error that can result in an integer overflow and privilege escalation. OpenSSH 3.4 fixes this bug." And kylus writes: "The previously mentioned vulnerability in OpenSSH has been disclosed by ISS X-Force today on the BugTraq list. This is a potential remote root compromise, and while there is a workaround, it's advised that users upgrade to version 3.4 as soon as they can."

7 of 336 comments (clear)

  1. Open "Secure" Shell. by rmadmin · · Score: 0, Flamebait

    As far as my servers.. 'DOH!'.

    I got a customer at a bank that almost went to another webhosting provider because we ran linux, and he wanted something more 'Practicle'. His suggestion, Solaris. Well.. Whats that.. Sol9 shipped with OpenSSH? I see.. much more secure than our pathetic linux servers! Putz.

    Its not the cost of the software, its how you admin it.

    --


    Can all fish swim?
    1. Re:Open "Secure" Shell. by Anonymous Coward · · Score: 0, Flamebait

      Don't forget a finely tuned scheduler, proper memory management, and a _WORKING_ VM subsystem. No one uses Linux for real work, get over it.

  2. Re:Why was it kept hush hush? by Anonymous Coward · · Score: 1, Flamebait

    You repackagers make me sick, all you do is gripe. THe folks at OpenSSH have worked their fucking asses off trying to make secure FREE code (in every sense of the word). They DID tell of a WORKABLE workaround until the patches were released. You gripe, you moan, you say you are going to look for another company that is willing to give a truely free implementation of SSH out.

    Why the fuck dont you write your own? Because you are a goddamn repackager. You dont give anything out of any real value. Why dont you for once THANK the people who work so goddamn hard to help the community.

    I am sick of you goddamn leeches. You leech leech leech, then cry because the blood is running low in your host. Parasites like yourself should either start contributing to projects like OpenSSH or shut the fuck up!

    PS. Thanks to the folks at OpenBSD and OpenSSH for the many hours you have contributed to making the world a little more free and secure!

  3. still getting buffer overflows huh? by hqm · · Score: 1, Flamebait

    Maybe if people stopped programming in
    C they wouldn't keep having integer overflow
    and buffer overflow bugs. This has been a solved
    problem in Lisp forever.
    Even Java has integer overflow, the C weenies never really learn to part with their old ways.

  4. Another theory goes down the drain by TheCabal · · Score: 0, Flamebait

    So much for the "many eyes, open source, no bugs" theory. And what's with they delayed announcement? Open-source taking a few clues from the Dark Side?

  5. Re:Why was it kept hush hush? by xmutex · · Score: 0, Flamebait

    Because Theo de Raadt is a brat (ha! rhymes!) and anyone who says differently is a dirty liar or a micreant.

    --

    jack's bicycle is music to my ears
  6. Re:Workaround here: by MicroBerto · · Score: 1, Flamebait

    I don't know, but I'm willing to bet that the number of times he's gotten laid certainly hasn't gone *DOWN* since he stopped IRCing so much...

    --
    Berto