SSH vulnerability -- patch now!

As reality_fox just found out the hard way, there's a new SSH exploit in the wild. It affects Debian, Gentoo, RedHat and OpenBSD systems (or anything using OpenSSH prior to v3.7). You should close your SSH ports immediately and then go get and apply the SSH patches going online now. I'm doing that at my office in the background while submitting this LJ entry.

Slashdot has more info on the specific bits. Here's a quick cut-paste for redhat users:

1.- Download the file openssh-3.7p1-1.src.rpm from any of the mirrors. For example:
ftp://ftp.easynet.be/openssh/portable/rpm/SRPMS/op enssh-3.7p1-1.src.rpm

2.- Build an .rpm for your RedHat Linux version:

# rpm --rebuild openssh-3.7p1-1.src.rpm

3.- Upgrade your OpenSSH packages:

# rpm -Fvh /usr/src/redhat/RPMS/i386/openssh-*.rpm

4.- Re-start your sshd daemon:

service sshd restart


This is a serious security hole. Many machines are being owned. Good luck on getting through to RedHat to get the 3.7 upgrade... just keep trying!

Hurricane Watch -- in California.

My company makes GPS chips for cell phones and the services to support their use. These enable the cell phone companies to provide E911 (Enhanced 911) services to their customers. Nifty things come of this like the ability for rescuers to find you in a building or off the side of the road in a ditch with much higher accuracy.

These systems have been in full roll-out with a handful of US carriers for a few months now. They've had a little traffic but not a lot. The hurricane currently pounding our east coast will (unfortunately for folks living there) generate a lot of E911 traffic. More than one carrier is a little worried about this bieng our first real-world "high load test". We've done far past that in the lab without a problem so we're not too worried... but still, we've been asked to keep our 'core personnel' available 24/7 during this weather event just in case. If our systems go down for any reason we have hot and cold standby gear ready to deploy to shore it up.

My boss just told me that, yup, I'm core personnel. At least I didn't have any plans to go anywhere this week. Here's to hoping that the fewest folks possible get hurt during this bad weather -- and those that do, may help find you as quick as possible. I'm proud to be part of a company that will help speed that help up.