SSH Communications Security Corp (ssh.com/ssh.fi) announced on bugtraq last night that their commercial product SSH Secure Shell 3.0.0 is a gaping remote hole on various unixes. Technically it's not a root hole, but remote access to users like "adm," "bin," "daemon," and "sys" is not good. Strangely, I don't see an announcement on their homepage. If you're running the $99 workstation version or the $475 server version, go upgrade to 3.0.1 now because it's an amazingly trivial exploit (especially on Solaris, but also on other unixes, excluding NetBSD and OpenBSD which are not affected at all). If you're using OpenSSH, or some other program you didn't pay for, no worries.