Please see below for details of another openssh advisory.
Is the current patched version of SuSE vulnerable to this attack?
No, because that versions (2 versions) is not used in any SuSE product.
The advisory warns that we are vulnerable if privsep is disabled - the most recent patch from SuSE disabled privsep by default!
I like the idea of privsep, please can somebody at SuSE answer the following:
1. How do I re-enable privsep - is it enough to turn it on in the sshd_config?
Yes, and restarting/reloading the sshd process.
2. What is the problem with enabling privsep in the latest release?
Calling PAM routines is not suitable if not running as root. It just doesn't work.
3. How do I check that privsep is actually working - there doesn't seem to be any record of it in the syslog.
Look at the processes while you are logged on via ssh. You should be able to see that the sshd uses another uid.
4. I am used to restricting access to many services via the hosts.allow - will this help if there is an sshd exploit?
Yes. That's a sign for experience if you're using tcp_wrappers. Independently from hosts.allow, access can be restricted in sshd_config, too.
Thanks Simon Oliver
You're welcome. Roman.