A new vulnerability in OpenSSH can, under some circumstances, be exploited by a local attacker to execute arbitrary code with the permissions of the root user. Exploiting this vulnerability requires that the "UseLogin" option be enabled, which most systems do not configure in the default installation. The vulnerability affects OpenSSH versions earlier than 3.0.2.
Users should upgrade their OpenSSH packages to version 3.0.2 or newer as soon as possible. Systems configured with the "UseLogin" option enabled should disable this option until OpenSSH has been upgraded.
