MJ Ray writes:
Can you tell me whether openssh versions are also vulnerable?
Funny how these things happen. A couple of messages after your email in my inbox, I received the following which might help answer your question.
A new version of OpenSSH has been released, OpenSSH 3.0.2. This release fixes a vulnerability in the UseLogin option of OpenSSH. This option is not enabled in the default installation of OpenSSH. However, if UseLogin is enabled by the administrator, all versions of OpenSSH prior to 3.0.2 may be vulnerable to local attacks.
The vulnerability allows local users to pass environment variables (e.g. LD_PRELOAD) to the login process. The login process is run with the same privilege as sshd (usually with root privilege).
Do not enable UseLogin on your machines or disable UseLogin again in /etc/sshd_config: UseLogin no
So the bottom line is that OpenSSH has vulnerabilities too.
HTH.
..Adrian