dagmar.wants at nospam.com
Wed Sep 24 14:37:38 PDT 2003
On Wed, 2003-09-24 at 16:24, Bully Cillóniz wrote:
> well i havent seen any proof of concept yet. So i dont know how vital it is
> to patch the src code.
Well, since the patches are pretty small, someone who actually knows C
and knows their way around shell code probably wouldn't need to spend
more than a day coming up with their own working exploit independently
of the tools that a few people probably already have, even though at the
current time it's presumed that a non-average configuration has to be in
effect for these bugs to be vulnerable to remote code execution. This
is not to say that with a normal configuration these bugs might not
represent a DoS vulnerability to the sshd service.
In any case, flaws in an authentication/access mechanism should always
have slightly higher priority than normal bugs, so if you've got nothing
else "on fire" at the moment, upgrading OpenSSH should be at the top of
your list of things to fix.
The email address above is phony because the people making archives of list
traffic publicly available on the web aren't taking measures to protect the
email addresses from filthy spammers.
AIM: evilDagmar Jabber: evilDagmar at jabber.org
More information about the lfs-security