Does anyone know anything about this "0-day" ssh vulnerability?

Vincent Danen vdanen at redhat.com
Wed Jul 8 03:14:59 EST 2009


Hi all.  I've looked at the archives and it seems to be quiet regarding
this supposed "0-day" openssh vulnerability and I'm wondering if anyone
here may have some insight or further information regarding it.

We've been monitoring things and the amount of speculative info flying
around is incredible.  Some claim it's the CPNI-957037 issue, thus
affecting <5.2, others are indicating it's the unsafe signal handler
issue fixed in 4.4.

Granted, Red Hat does ship with a patched 4.3, but we have corrected all
issues that we know to have existed with 4.3.  And the veracity of the
supposed "logs" are sketchy at best.

Thanks.

-- 
Vincent Danen / Red Hat Security Response Team 


More information about the openssh-unix-dev mailing list