evan_tech -- new ssh vulnerability

04:14 pm, 22 Aug 03

new ssh vulnerability

From a higher-up at the UW:

Not that we need another crisis, but it *is* Friday afternoon. ;)

I have not yet been able to get confirming exploit code, but a group
I trust has been discussing a previously undiscussed vulnerability
in sftp in at least OpenSSH prior to 3.6.  This vulnerability
has supposedly been known in the underground for two years
(and may be related to the GNU ftp server advisory CERT sent out
recently.)

I would advise *everyone* using OpenSSH to upgrade immediately
to the latest version, or at least disable sftp (which is on by
default) if you are not using it.

I will send more information when I can confirm things.

uncaring	From a higher-up at the UW... I think there's only one person there that talks like that. First initial == last initial?
reply to this

evan	Naw, it was on the linux list. David Talkington, I think?
reply to this

uncaring	Oh, I guess it would have helped to check my email. Heh, it actually was from who I suspected (not David Talkington). It's funny/weird/cool how people can be identified based on their writing style and their word selection. Even the words that were emphasized helped give him away =)
reply to this

zanfur	Oh yes. Good ol' Dittrich. I'll have to ask him where he got that info.
reply to this

uncaring	I infer from the "group I trust" comment and the fact that he doesn't put a name to the group that it's one of the private groups that he's in. In the past, he was fairly secretive about them, so I wouldn't be surprised if you didn't get a real answer from him.
reply to this

dormando what the hell.

reply to this

dormando	what the hell.
reply to this