Re: ssh vulnerability in the wild
Hello,
I don't really know much about computer security, but I do have ssh
installed on my computer so I'm somewhat concerned, please forgive my
stupidity if I ask questions that seem stupid, ignorant or trivial.
When I read slashdot this morning, I thought the article titled
"New ssh Exploit in the Wild" implied that an exploit was already out
... or does "in the Wild" generally mean it's theoretically possible,
but not necessairly done yet?
Also, from the sounds of the debian-security list, I get the
impression that the SSH vulnerability is not as bad as it sounds --
but from the Slashdot posts (with people posting random sections of
logs, links to RPMS/SRPMS, and suggesting alternatives) it seems as
if the risk is most serious. Can anyone enlighten my ignorance on
this?
On a slightly off topic note, I'm thinking about running an
ftp/http/ssh server for personal use in college. What precautionary
measures should I take, or rather can I take? From reading over the
various Slashdot posts, I'm thinking that beyond
(1) making sure system isn't running any unnecessary servers
(Debian seems pretty good in this by default)
(2) making sure all software is up to date
and
(3) since it's a college campus, possibly being able to ask
technical support for the subnet (correct word?) of all campus IP
addresses, and only allowing access IP addresses on that subnet
beyond all of that, there really isn't much that I can do is there?
Thanks,
--TongKe Xue
--- Josh Carroll <josh.carroll@psualum.com> wrote:
> Actually, people have reported that there is an exploit, and in
> fact even OpenBSD is vulnerable.
>
> I would still patch ASAP. Best not to risk it.
>
> It's probably a matter of time before a widely available exploit is
> released. Right now it seems
> it's in the hands of a select few, but that will probably change
> sooner than later.
>
> By the way, you can grab the incoming openssh package from:
>
> http://incoming.debian.org/ssh_3.6.1p2-6.0_i386.deb
>
> if you want to patch your unstable system without building your own
> package with the buffer.c
> patch. (assuming i386 of course).
>
> I personally would like to see said exploit so I can test my
> systems post-patch. But I guess
> we'll have to trust the packages and/or buffer.c patch.
>
> Josh
>
>
> Florian Weimer (fw@deneb.enyo.de) wrote:
> > Ted Roby <secalert@tedroby.com> writes:
> >
> > > Does this vulnerability require a login? Is a system safe if it
> does not
> > > allow root login, and password logins?
> >
> > Nobody knows the answer at the moment. There isn't any obvious
> way to
> > exploit the overflow (mind that the attacker cannot write
> arbitrary
> > data, just a couple of zeros), and I still doubt if it is
> exploitable
> > at all.
> >
> >
> > --
> > To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> > with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
> >
>
>
> --
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
>
__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com
Reply to: