# OpenSSH 3.4

## DrSpock

NOTE: Covered by Sticky above sorry for the redudency  :Smile: 

OpenSSH 3.4 was released fixing the discovered vulnerabilitiy in previous versions:

1. Versions affected:

        All versions of OpenSSH's sshd between 2.9.9 and 3.3

        contain an input validation error that can result in

        an integer overflow and privilege escalation.

        OpenSSH 3.4 and later are not affected.

        OpenSSH 3.2 and later prevent privilege escalation

        if UsePrivilegeSeparation is enabled in sshd_config.

        OpenSSH 3.3 enables UsePrivilegeSeparation by

        default.

        Although OpenSSH 2.9 and earlier are not affected

        upgrading to OpenSSH 3.4 is recommended, because

        OpenSSH 3.4 adds checks for a class of potential bugs.

2. Impact:

        This bug can be exploited remotely if

        ChallengeResponseAuthentication is enabled in sshd_config.

	Affected are at least systems supporting

	s/key over SSH protocol version 2 (OpenBSD, FreeBSD

	and NetBSD as well as other systems supporting

	s/key with SSH).  Exploitablitly of systems

	using PAM in combination has not been verified.

------

While looking at the HTTP browser of RSYNC mirror, I see no ebuild or package for OpenSSH 3.4. I can imagine those running OpenSSH [sshd] might  not update it on their own besides for using emerge.

----------

## Zu`

 *DrSpock wrote:*   

> While looking at the HTTP browser of RSYNC mirror, I see no ebuild or package for OpenSSH 3.4. I can imagine those running OpenSSH [sshd] might  not update it on their own besides for using emerge.

 

It's there now  :Smile: 

```
emerge rsync

emerge -u openssh

emerge -c openssh
```

Greets

----------

