SSH !EXPLOIT!

**gorn** · 09-16-2003, 08:02 PM

http://www.securityfocus.com/archive...3/2003-09-19/0

From what I got on /. the exploit is already in the wild. Upgrade to 3.7p1 ASAP!

**demian** · 09-16-2003, 08:36 PM

Is there really an exploit? The advisory says "It is uncertain whether this error is potentially exploitable". On the debian-security mailing list there's a discussion going on and the consensus seems to be that, yes, better update you system but no reports on this bug actually leading to an exploit have been filed.

Anyways, fellow debian users do an apt-get update && apt-get upgrade and are save. The patched version has just been accepted to both stable and unstable (20:41+0200).

**Blaqb0x** · 09-16-2003, 10:56 PM

Hi,

has anyone updated Openssh-3.5p1-1 on RH7.3. The updates on RHN are for Openssh-3.1p1-10. It seems that Openssh > Openssh-3.5p1-1 needs Openssl-0.9b. Upgrading this results in a lot of dependency conflicts. The latest source also needs libcrypto.so.4

Any ideas? I suppose I could down-grade to Openssh3.1p1-10 but, I don't want to.

**gorn** · 09-17-2003, 12:14 AM

i believe that there wasn't an exploit when 3.7 was released and now there is, but it's still not public.

as for the redhat issue, there is a patch avalible you can apply to your version