The following summary from Debian’s security list:

The Qualys Threat Research Unit (TRU) discovered that OpenSSH, an implementation of the SSH protocol suite, is prone to a signal handler race condition. If a client does not authenticate within LoginGraceTime seconds (120 by default), then sshd’s SIGALRM handler is called asynchronously and calls various functions that are not async-signal-safe. A remote unauthenticated attacker can take advantage of this flaw to execute arbitrary code with root privileges. This flaw affects sshd in its default configuration.

  • qprimed@lemmy.ml
    link
    fedilink
    English
    arrow-up
    2
    arrow-down
    1
    ·
    edit-2
    5 months ago

    indeed, but your SSH ports should not be hanging out in the wind for any old IP to hit.

    • cron
      link
      fedilink
      English
      arrow-up
      3
      ·
      5 months ago

      openssh is typically quite robust, this is a rare exception