Contributed by
Dengue
on
from the of-course-your-not-using-ssh dept.
Andrew Newman of Yale University, and an anonymous system
administrator at the University of Helsinki have
discovered a potential remote root compromise in SSH
Communications version 3.0 of SSH Secure Shell. There is a
problem with password authentication to the sshd2 deamon
that could allow any user to access accounts with password
fields of two or fewer characters by using any password
including an empty one. Version
3.0.1 of SSH Secure Shell fixes this problem. OS's
affected include: Linux (many), Solaris 2.6-2.8, HP-UX
10.20 and 11.00. Not affected are Tru64 4.0G, NetBSD, and
OpenBSD.
As soon as this is up at
BUGTRAQ
, I'll post a
link to the advisory. Most, if not all of you are probably
using
OpenSSH
, and are
unaffected by this vulnerability.
By jcs () on
By Anonymous Coward () on