Slashdot Mirror

← Back to Stories (view on slashdot.org)

OpenSSH Vulnerability Disclosed, Version 3.4 Released

Posted by timothy on from the quick-turnaround dept.

Dan writes: "OpenSSH 3.4 has been released and will be shortly available on all mirrors. All versions of OpenSSH's sshd between 2.9.9 and 3.3 contain an input validation error that can result in an integer overflow and privilege escalation. OpenSSH 3.4 fixes this bug." And kylus writes: "The previously mentioned vulnerability in OpenSSH has been disclosed by ISS X-Force today on the BugTraq list. This is a potential remote root compromise, and while there is a workaround, it's advised that users upgrade to version 3.4 as soon as they can."

9 of 336 comments (clear)

  1. New Slogan! by skinney · · Score: 4, Funny

    "One remote hole in the default install, in nearly 6 years!" you can see it here: OpenBSD

    ~Shane

    1. Re:New Slogan! by bbh · · Score: 5, Funny

      Yeah, it was probably the guy with the exploit that updated the webpage :P

      bbh

    2. Re:New Slogan! by Anonymous Coward · · Score: 2, Funny

      You only think your toaster is secure.

    3. Re:New Slogan! by Wakko+Warner · · Score: 2, Funny

      Unfortunately, one remote hole is all you need.

      Sort of like cock pushups.

      Except the rooting is of a different nature.

      - A.P.

      --
      "Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"
    4. Re:New Slogan! by cachapa · · Score: 3, Funny

      It's better than the alternative:
      "5 hours without remote holes in the default install"

  2. Easy workaround by garett_spencley · · Score: 5, Funny

    Don't use SSH. Switch to telnet instead....

    ChallengeResponse... oh please! Telnet's never had these problems.

    (note for the humour impared: this is a *joke*).

    --
    Garett

  3. How to fix ... by joe_fish · · Score: 5, Funny
    Just add a line to your /etc/ssh/sshd_config like this:

    CheckPasswords false

    And then reboot your sshd.

    Finally mail me, and I'll check that you really are safe. Oh and don't about slashdot users giving you bad advice you can be sure to only get accurate information here.

    --
    DWR is Ajax for Java
  4. Re:Cheers, Theo by Anonymous Coward · · Score: 1, Funny


    hmm.. really? what's your IP? ;)

  5. Fuck it. by xmutex · · Score: 2, Funny

    I'm going back to telnetd and blind optimism.

    --

    jack's bicycle is music to my ears