Linux Today: Linux News On Internet Time.

OpenSSH update (Zero-day exploit?)

Jul 08, 2009, 20:32 (0 Talkback[s])

"So, I'm not pursuaded that an 0day exists at all. The only evidence so far are some anonymous rumours and unverifiable intrusion transcripts.

"Speculating as to what an exploit, should it exist, might consist of:

"The two issues of note that have been fixed since openssh-4.3 are the aforementioned signal race (in 4.4) and a privsep signature verification weakness (in 4.5). I doubt that it is the race condition as not even Mark Dowd was able to make an working exploit from it. The privsep weakness could be used to escalate privilege out of some other unknown flaw, but it would not grant access by itself."

Complete Story

Related Stories: