stillinbeta

Beta is on cohost dot org

@stillinbeta

pegasus, not pegacis

small, swift, and easily startled

log inask
blog
blog.stillinbeta.com/
tumblr
tumblr.stillinbeta.com/
contact
stillinbeta.com/contact
stillinbeta
@stillinbeta
DecayWTF
@DecayWTF
ireneista
@ireneista

no, yeah, we just finished

annoying :)

we do think it would be challenging to exploit in practice, which might affect your sense of urgency, but you should err on the side of updating before you forget

DecayWTF
@DecayWTF

This one's not as bad as the last big compromise but the vulnerability has been in ssh much longer so:

  • If you are running Linux, update your system.
  • If you are running WSL or macos and have installed openssh, update WSL or homebrew respectively
  • FreeBSD may not be vulnerable but the project has issued patches out of an abundance of caution, so update
  • OpenBSD is safe and is in fact sort of the reason for the vulnerability, lol, lmao
  • Other systems, idk, hope you know what you're doing running OpenSSH on AmigaOS or Haiku or whatever
You must log in to comment.

in reply to @amb's post:

in reply to @DecayWTF's post:

Space-G
@Space-G

"OpenBSD is safe and is in fact sort of the reason for the vulnerability"

I thought they were the ones who created openssh? I probably am wrong tho.

I'm curious about what I quoted, enough to comment, but not enough to research it :eggbug-tuesday:

login to reply
DecayWTF
@DecayWTF

They are, the disclosure explains it but basically the vulnerability is because OpenSSH has a safety feature available in OpenBSD that isn't there in other systems:

OpenBSD is notably not vulnerable, because its
SIGALRM handler calls syslog_r(), an async-signal-safer version of
syslog() that was invented by OpenBSD in 2001.

login to reply
Pinned Tags