OpenSSH Vulnerability Found
The vulnerability prompts a warning from the suite's developers, who are rushing to prepare a fix.A vulnerability has been discovered in a popular, free implementation of the Secure Shell protocols, prompting a warning from the suites developers, who are rushing to prepare a fix. The vulnerability, which concerns local- and remote-root compromise, surfaced yesterday in OpenSSH, the free set of network connectivity tools developed by the OpenBSD Project. OpenSSH is frequently used in place of telnet, rlogin and ftp access and comes bundled with OpenBSD and a number of other open-source operating systems. The vulnerability disclosure, posted Tuesday on the front page of the OpenSSH Web site, comes just days after the release of the latest version of the SSH package. According to the warning, users "are strongly encouraged to upgrade immediately to OpenSSH 3.3 with the UsePrivilegeSeparation option enabled. Privilege Separation blocks this problem. Keep an eye out for the upcoming OpenSSH 3.4 release on Monday [July 1] that fixes the vulnerability itself."
According to developer Theo de Raadt, founder of the OpenBSD and OpenSSH projects, "No one knows about this hole yet."