openssh 6.2 and 6.3 bug (slightly relevant to gitolite users)
15 views
Skip to first unread message
Sitaram Chamarty
Nov 9, 2013, 11:56:01 PM11/9/13
to Gitolite Google Groups, gitolite...@googlegroups.com
Reference: [1] and other places linked from there.
My opinion: very low risk.
My reason: exploiting it requires that the attacker "pre-load the heap
with a useful callback address".
If your gitolite server is a dedicated server and your users do not have
shell access to it (any userid), I don't see how see this can happen.
If they do have shell access, well then upgrade to openssh 6.4 I guess.
[1]: https://lwn.net/Articles/573355/
My opinion: very low risk.
My reason: exploiting it requires that the attacker "pre-load the heap
with a useful callback address".
If your gitolite server is a dedicated server and your users do not have
shell access to it (any userid), I don't see how see this can happen.
If they do have shell access, well then upgrade to openssh 6.4 I guess.
[1]: https://lwn.net/Articles/573355/
Reply all
Reply to author
Forward
0 new messages