Actually, people have reported that there is an exploit, and in fact even OpenBSD is vulnerable.
I would still patch ASAP. Best not to risk it. It's probably a matter of time before a widely available exploit is released. Right now it seems it's in the hands of a select few, but that will probably change sooner than later. By the way, you can grab the incoming openssh package from: http://incoming.debian.org/ssh_3.6.1p2-6.0_i386.deb if you want to patch your unstable system without building your own package with the buffer.c patch. (assuming i386 of course). I personally would like to see said exploit so I can test my systems post-patch. But I guess we'll have to trust the packages and/or buffer.c patch. Josh Florian Weimer ([EMAIL PROTECTED]) wrote: > Ted Roby <[EMAIL PROTECTED]> writes: > > > Does this vulnerability require a login? Is a system safe if it does not > > allow root login, and password logins? > > Nobody knows the answer at the moment. There isn't any obvious way to > exploit the overflow (mind that the attacker cannot write arbitrary > data, just a couple of zeros), and I still doubt if it is exploitable > at all. > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] >
