Slashdot Mirror

← Back to Stories (view on slashdot.org)

Remote Root Exploit In lsh

Posted by timothy on from the harsh-eye dept.

skookum writes "After last week's OpenSSH patch-fest, a lot of people suggested GNU lsh as a replacement. Unfortunately, it seems that the lsh team has recently discovered a heap overflow bug of their own that can lead to compromise. An exploit was posted to BugTraq two days ago. Happy patching."

5 of 445 comments (clear)

  1. Another forum for bashing Microsoft by KingRob · · Score: 0, Troll

    Another week, another bug, another thread bashing Microsoft for software weaknesses.
    When will Slashdot moderators *get it* ?

    All software has bugs! Due to popularity, some software bugs are more actively sought that others.

  2. Re:The standard conclusion by Overly+Critical+Guy · · Score: 0, Troll

    Yes, really.

    --
    "Sufferin' succotash."
  3. Dang... by BurKaZoiD · · Score: 0, Troll

    ...and I just set up my first Linux box (RH9) a few weeks ago. If I wanted this kind of abuse, I would stick with Microsoft!!! *Sigh* I was really loving Linux too...the freedom, the power, the non-MS-ness...

    >;^(

    --


    Spread the RC luvin'
  4. Re:Telnet by zCyl · · Score: 0, Troll

    Good software !== no bugs ever.

    Why the hell not? Good bridges are the ones that don't fall down.

    I know perfectly well that it's difficult to write bug free, or at least security problem free, code of any meaningful size, but it's about time we start to change our software development focus. Reasonable development techniques exist which are more difficult to do, but which result in code with a high degree of verifiably secure code.

    You can't just trust that "the code is out there, so someone will read it." Every piece of security-conscious code written needs to be peer-reviewed, at least twice, by equally competent programmers to the one who wrote it. The peer reviewers need to nitpick at every bad design and programming technique decision. Every piece of security-conscious code should be software-fault injected after every release build, and all anomalous subcompenent behavior handled in an appropriate manner (and then peer reviewed again).

    I'm sure there are quite a few other equally solid techniques that aren't being implemented across the board for security critical code. There's no fundamental limit to human ability which says we can't write secure code, we just need better procedures to prevent, catch, and block human errors.

  5. Re:Telnet by the+uNF+cola · · Score: 1, Troll

    Too bad php sux0rs and prolly should be replaced by ruby or anything else.

    --

    --
    "I'm not bright. Big words confuse me. But Wanda loves me and that should be enough for you." - Cosmo