Comments by "eDoc2020" (@eDoc2020) on "Another Critical OpenSSH Vulnerability" video.

  1. I'm 99% sure it would, Raspbian is based on Debian which shipped an affected version. Fortunately the patch is already out. Update and it will be fixed. And of course it's only a real problem if you had SSH enabled and exposed to the public Internet. If you didn't enable port forwarding on your router nobody will have had a chance to access the bug.
    2
  2. If you have an affected system it's a huge problem. Just update and you'll be fine.
    1
  3. I think so. But on the other hand it's (AFAIK) basically guessing a random number. It might take 8 hours on average but if an attacker is lucky they'll get it on the first time.
    1
  4.  @evanknight8572  Absolutely nothing. If you just did a regular desktop install you probably don't have the SSH server installed, or at the very least not enabled. The client package (which is installed as part of the standard toolsuite) will have an update because of how the development cycle works but will not have the vulnerability itself.
    1
  5. Does that really work? I was worrying because I have some exposed SSH servers but they all have password login disabled.
    1
  6.  @nothingnothing1799  It's also easy for a compromised client to send over passwords. And even worse the server always gets sent the full password. If the server is temporarily compromised but then patched the password gets stolen.
    1
  7.  @fish3977  Running OpenSSH 6.7 here, immune to this problem. Fortunately port 22 is not directly accessible. On the other hand, I have a system which has OpenSSH 9.2 directly exposed (although at least not on 22). I'll need to update this ASAP.
    1