A vulnerability has been discovered in OpenSSH. This vulnerability appears to have been exploited to compromise machines at a few ISPs. We highly recommend upgrading to the version 3.7p1 which was released earlier today.

This bug may not be exploitable on some platforms (e.g. OpenBSD) but could be exploitable on others (e.g. Linux).

Currently, there is no widely available exploit. However, there are some rumors about intrusions using this vulnerability to compromise systems.

Workaround

(*) Block access to port 22 from untrusted IP addresses
(*) Enable the 'Privilege Separation feature. It is not clear if this will prevent the current exploit. But it is likely to make any compromise harder

at the time of this writing, no major Linux distribution released an official update.

Related links:

Portable OpenSSH Source:
ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/

OpenSSH Web site:
http://www.openssh.org

OpenSSH Advisory:
http://www.mindrot.org/pipermail/openssh-unix-announce/2003-September/000063.html

As always: Verify PGP signatures for any patches or files you download.