The exploit double frees a memory location which causes a sigfault (that's what happens in UNIX anyway) and crashes any program that uses the old library. I doubt you can gain root access from a sigfault; however, I could be wrong. -Jeremy > -----Original Message----- > From: owner-kclug@marauder.illiana.net > [mailto:owner-kclug@marauder.illiana.net]On Behalf Of Brian Densmore > Sent: Thursday, March 21, 2002 1:20 PM > To: KCLUG (E-mail) > Subject: RE: SSL and SSH > > > Static linking is generally a very bad thing. Think about all those > applications out there that are static linked to zlib 1.1.3. They all > now have to be recompiled with zlib 1.1.4 to fix the "double free" root > exploit. Anyone figured out how to use it yet? Please don't post it, if > you have. I am just wondering. I haven't figured out a way to exploit > from an external machine. I could write a program to do it, but then the > problem is to get it on to a box and then execute it. I'm not sure how > you would do it without putting your own trojan on the box first. So you > would have to have an exploit to exploit the exploit!? That new PHP > exploit actually sounds rather bad though. > > Brian > > > -----Original Message----- > > From: JD Runyan [mailto:Jason.Runyan@nitckc.usda.gov] > > Sent: Thursday, March 21, 2002 11:41 AM > > To: KCLUG (E-mail) > > Subject: Re: SSL and SSH > > > > > > You can compile it with static linking of the ssl libraries, > > but I think you > > would have to use another machine to generate keys. > > On Mar 21 11:13, Brian Densmore wrote: > > > ssh depends on ssl. Can't install ssh if you don't have > > ssl. At least > > > none of the versions I have ever seen let you. I'd be interested in > > > knowing of anyone who has installed ssh without ssl. Not that I > > > recommend it. > > > > > > > -----Original Message----- > > > > From: Jonathan Hutchins [mailto:hutchins@opus1.com] > > > > Sent: Thursday, March 21, 2002 11:08 AM > > > > To: Brian Densmore; KCLUG (E-mail) > > > > Subject: Re: Permissions Question > > > > > > > > > > > > ----- Original Message ----- > > > > From: "Brian Densmore" > > > > > > > > > > > > > Install openssl and openssh. > > > > > > > > You explain what Seth will be doing with SSH, but why does he > > > > need ssl too? > > > > > > > > > > > > > > > > majordomo@kclug.org > > > > -- > > JD Runyan > > Mid-Range Systems Administrator > > USDA NITC Kansas City > > > > > > majordomo@kclug.org > > > >