New ssh Exploit in the Wild

veg writes "In the last few hours there have been several reports of a new ssh bug, with an exploit seemingly in the wild. Oh god not again... The lengths some people will goto to try and damage Theo's pride." Update: 09/17 00:24 GMT by T : friscolr writes "Hot on the heels of rev 1 of the buffer.adv advisory, here is revision 2, which fixes more than revision 1 did. Also see the 3.7.1 release notes."

GOOD!! Red Hat, fix your RPMs!!

[RedHat+Rocky]

Great, now maybe Redhat will fix their damn openssh RPMs that they fubarred with their last patch!

Re:Update for debian

[bartman]

Debian is absolutely amazing.

bug 211205, which deals with this expoit, was resolved in 2h after the announcement. I had my box patched 15min after the slashdot story hit.

Really good stuff.

For Gentoo

[jehreg]

Just go to your net-misc/openssh directory:

• cp openssh-3.6.1_p2.ebuild openssh-3.7_p1.ebuild
• emerge --update openssh

The emerge will fetch the file and complain that there is no digest.

• ebuild openssh-3.7_p1.ebuild digest
• emerge --update openssh

Just tested it here, worked fine.
Pat

Re:very early

[s.d.]

Even though there is no patch available (yet)

There is a patch available, as well as it being fixed in 3.7, which was just released this morning. That's the point of all of this. The mention of the bug was in the 3.7 release notes, i believe.

Why all the lsh plugs?

[kakos]

It seems to me that a package that goes through code security audits regularly and is actually finished is infinitely more secure than an incomplete package?

Why are there people suggesting to go from a secure package to an insecure one?