Re: [Nolug] [Scott Harney <scotth@scottharney.com>] Re: [brlug-general] I hope everyone has either patched or secured their SSH servers.

From: Scott Harney <scotth_at_scottharney.com>
Date: Tue, 16 Sep 2003 18:17:54 -0500
Message-ID: <87vfrsiaql.fsf@zenarcade.local.lan>

mah@everybody.org (Mark A. Hershberger) writes:

I recognize that it looks like rumor mill material until you
read the full-disclosure list entries. Couple this with the
flurry of rushed-out alerts and patch updates released by vendors
today and I think it's got some credibility.

OpenBSD released their fix yesterday prior to the full-disclosure
announcement. At that point no-one had claims of a working exploit.

Following today's discussion on full-disclosure, gentoo, debian, redhat,
freebsd have all released updates to their openssh packages with
accompanying advisories. These are just the ones I know of directly (and
have patched thus far -- at least in cases of boxes that have 22 open to
the internet)

This confluence of events coupled with the critical nature of the ssh
service is a big deal in my book. some discussion on the list assert
that it is not an exploitable hole but a DoS (sshd will crash). That's still
a big deal in my book.

several other admins I work with feel pretty much the same way.

> Scott Harney <scotth@scottharney.com> writes:
>
>> This is a big one guys.
>
> Is it? From the OpenSSH advisory:
>
> All versions of OpenSSH's sshd prior to 3.7 contain a buffer
> management error. It is uncertain whether this error is
> potentially exploitable, however, we prefer to see bugs
> fixed proactively.
>
> Doesn't sound too threatening. Right now rumors of an exploit are
> just "Friend of a Friend" type information: "Just what I've heard by
> proxy."
> http://lists.netsys.com/pipermail/full-disclosure/2003-September/010116.html
> http://lists.netsys.com/pipermail/full-disclosure/2003-September/010125.html
>
> An alternative is to use lsh (http://www.lysator.liu.se/~nisse/lsh/)
> which, if nothing else, gets you points on the obscurity front. Gets
> you out of the openssh upgrade cycle for a bit, anyway.
>
> But, really, saying this is "a big one" seems un-called-for right now.
>
> Unless you have a pointer to an exploit being found, that is...
>
> Mark.
> ___________________
> Nolug mailing list
> nolug@nolug.org
>

-- 
Scott Harney<scotth@scottharney.com>
"...and one script to rule them all."
gpg key fingerprint=7125 0BD3 8EC4 08D7 321D CEE9 F024 7DA6 0BC7 94E5
___________________
Nolug mailing list
nolug@nolug.org
Received on 09/16/03

This archive was generated by hypermail 2.2.0 : 12/19/08 EST