On Thu, 15 Nov 2001, Seth Kurtzberg wrote:

> Definitely interesting.  Do we know that NetBSD does, or doesn't, suffer from 
> this vulnerability?  I can't really tell from the description (I'm not 

> > 	http://www.vnunet.com/News/1126812

> >                 identified so far and, if it is new, Salusky has
> >                 already christened it 'Limpninja'. ''

I believe this is the same ssh exploit documented recently in bugtraq. If
I understand correctly, this was also fixed last February. See:

ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2001-003.txt.asc

http://staff.washington.edu/dittrich/misc/ssh-analysis.txt

So recent NetBSD's don't have this problem.

I noticed that the ftp server didn't have an updated binary package for
ssh for 1.4.2 i386. Does anyone have it?

   Jeremy C. Reed
   http://www.reedmedia.net/