An advisory released by Core-SDI indicates that a
combination of bugs in ssh and the rsaref2 library can be exploited to gain
remote access to a host running the vulnerable program. The version of ssh in
Debian is not linked against rsaref2, and is not vulnerable
as shipped. Note that if you compile a local copy of ssh with the rsaref2
library, your local copy may be vulnerable. See the advisory at CoreLabs Advisories - CORE-1201999
for more information.
Any software that uses the rsaref2 library could be vulnerable.
