Details and a patch have been issued a day earlier than expected for the OpenSSH security hole uncovered late last week. A vulnerability in the challenge/response authentication mechanism of the OpenSSH daemon, versions 3.3 and earlier, could allow remote superuser compromise. ISS’s advisory has more details (they actually gave the developers a few days before issuing it this time – must have learned from the Apache fiasco), and the official OpenSSH advisory has a quick patch. However, it is recommended that users update to version 3.4, as it fixes this vulnerability as well as a number of other issues.