Yet another vulnerability in the PAM code of OpenSSH-portable. A basic format-string bug. Of course if you are running FreeBSD, the base OpenSSH is as affected as the port. Of course, almost every Linux distro is affected. And of course the latest release (5.0) is affected.
Simple fix:
Edit auth1.c and replace
packet_disconnect(msg);
with
packet_disconnect("%s", msg);
OpenBSD is not affected, this is only in OpenSSH-portable.
Published today by Mrdkaaa for the pwnie awards.
Update: it doesn’t seem exploitable in the real world, though, see That thread, pointed out by Greg (thanks!)