

OpenSSH update from Damien Miller - bcl
http://lwn.net/Articles/340483/

======
brown9-2
So basically this story boils down to (at least as of now):

 _...I'm not pursuaded that an 0day exists at all. The only evidence so far
are some anonymous rumours and unverifiable intrusion transcripts._

Maybe this should be a lesson to wait for more solid info before people begin
panicking...

~~~
weaksauce
Or if you have a server that is very important you can take steps to mitigate
the problem until the issue is resolved. In that case I would make it so that
the ssh is only accessible behind a firewall on the local network. If it is a
front facing server with no backend network I would change the open
port(though this should be done already) and/or enable port knocking. You
could also set iptables to only allow access from your remote network.

~~~
JeremyChase
Or you could be running a version of OpenSSH that is less than four years old.
4.3 came out in 2005

~~~
weaksauce
The thing is without full disclosure from the dev team (after they find out if
it is in fact a true exploit) upgrading in the dark just to upgrade you could
be upgrading to a version of the software that has the exploit.

~~~
JeremyChase
Every report I have found says that, if an exploit does exist, it is in an old
version of OpenSSH. I have no idea why you would update to anything but a
recent version. If you suggest that your distribution doesn't have an update
to a recent enough version; then rumored OpenSSH exploits are the least of
your security concerns.

Your post also suggests that Damien Miller and the OpenSSH development team
would not disclose the exploit. Are you aware that one of the goals of the
OpenBSD and OpenSSH projects is Full Disclosure? What evidence do you have to
suggest that they would go against their own goals?

<http://www.openbsd.org/security.html>

~~~
weaksauce
I think I might not have been clear enough in my point. The people at OpenSSH
are good, that was not in question. The point I was making is that the "anti-
sec movement" are miles away from trustworthy. Without a confirmation from the
actual devs that the current (5.x) versions are OK from the "exploit" I will
not be upgrading from the most recent version that is on my distro.

Taking a random "hacker" without proof at face value on the internet is not my
cup of tea.

As randallsquared pointed out here
<http://news.ycombinator.com/item?id=692344> it is entirely possible that the
latest version has the problem and this is all a social engineering hack to
get everyone to upgrade to a compromised version without any data whatsoever.

------
matthewking
Excuse my ignorance, but who is Mark Dowd?

Edit: link I just found: <http://taossa.com/index.php/author/mark/>

~~~
weaksauce
I hadn't heard of him either but a google search looks like he is pretty good
at exploits: <http://blogs.zdnet.com/security/?p=1030>

~~~
brown9-2
related links/discussions about his exploits if you're interested:

<http://news.ycombinator.com/item?id=164725>
<http://news.ycombinator.com/item?id=690592>
<http://news.ycombinator.com/item?id=692881>

