Serious vulnerability fixed with OpenSSH 9.8

by
corbet
from LWN.net on (#6NXBK)
OpenSSH 9.8 has beenreleased, fixing an ugly vulnerability:

Successful exploitation has been demonstrated on 32-bit Linux/glibcsystems with ASLR. Under lab conditions, the attack requires onaverage 6-8 hours of continuous connections up to the maximum theserver will accept. Exploitation on 64-bit systems is believed tobe possible but has not been demonstrated at this time. It's likelythat these attacks will be improved upon.

Exploitation on non-glibc systems is conceivable but has not beenexamined.

There is aconfiguration workaround for systems that cannot be updated, though ithas its own problems. See this Qualysadvisory for more details.

External Content
Source RSS or Atom Feed
Feed Location http://lwn.net/headlines/rss
Feed Title LWN.net
Feed Link https://lwn.net/
Reply 0 comments