Remote root hole in OpenSSH, exploit in the wild

[Electrode]

I'm shocked that no one has mentioned this here. If it were a hole in Windows it'd be stickied on every forum...

Anyway, if you're running OpenSSH, update to 3.7.1 right now! If you're using a major Linux distro, Free/Net/OpenBSD, or anything else that includes OpenSSH, check for an updated package. Otherwise, you can get the source code from here.

 

[Barnaby W. Füi]

Word. I'll have to get around to installing the update tonight, in the meantime I just stopped forwarding port 22 from the 'net.

edit: I have yet to find a page for this exploit, other than some vague mailing list posts, and the .adv file on openbsd.org. *Rumor* has it that it's only for root, so turning off root login will prevent a problem. However, it ALL seems to be rumor, which is highly annoying (and why I'm in no hurry to fix it before I get a good idea of what the issue really is).