Re: openssh_7.2p2+ availability for wheezy

To: debian-lts@lists.debian.org, debian-backports@lists.debian.org
Subject: Re: openssh_7.2p2+ availability for wheezy
From: Roberto C. Sánchez <roberto@debian.org>
Date: Thu, 27 Jul 2017 09:43:02 -0400
Message-id: <[🔎] 20170727134302.GA5182@santiago.connexer.com>
Mail-followup-to: Roberto C. Sánchez <roberto@debian.org>, debian-lts@lists.debian.org, debian-backports@lists.debian.org
In-reply-to: <[🔎] fa0ade4c-33f9-8f5e-e22c-fc92972130e1@matrixscience.com>
References: <[🔎] fa0ade4c-33f9-8f5e-e22c-fc92972130e1@matrixscience.com>

On Thu, Jul 27, 2017 at 02:16:46PM +0100, Adam Weremczuk wrote:
> Hello,
> 
> Can somebody advise if there is any openssh_7.2p2 or newer version available
> for wheezy?

I am not aware of any such packages being available.

> Is there any chance it will find its way into official or backport releases
> in the upcoming weeks?
> 
Wheezy is within one year of the end of LTS.  Considering the rather
large differences between the version of OpenSSH in wheezy and the
latest upstream release, I cannot imagine that anything like that would
be done with official sanction.

> We have a server running Wheezy 7.1 running openssh_6.0p1 which we are not
> ready to rebuild and migrate just yet.
> We have recently been asked to update openssh to fix all known security
> vulnerabilities.
> 
The Debian Security Team is responsible for ensuring that all known
vulnerabilities are addressed.  OpenSSH is an absolutely critical
package for just about every single Debian installation, so it receives
a great deal of attention.  That said, Debian's policy is to backport
security fixes and that has been the case for OpenSSH during the life
cycle of wheezy.  If you look in the changelog files:

/usr/share/doc/openssh-client/changelog.Debian.gz
/usr/share/doc/openssh-server/changelog.Debian.gz

You will see that there have been uploads for several security issues
over the years.  Just make sure that you have the security repository in
the sources.list for the machine(s) in question.

If there is a specific security issue which is not addressed and you
feel it should be, the best thing would be to bring it to the attention
of the security team.

> I've been trying to build my own openssh_7.4p1 package but due to complexity
> and/or lack of experience I've been banging my head against errors for days.
> 
If you need help resolving errors with building packages a description
of the steps you have taken along with the actual error messages or
failures you are seeing would make it easier to assist.

> Even if I eventually manage to build it I wouldn't be able to guarantee its
> quality.
> I'm also concerned about side effects of installing it.
> 
I would also be concerned by that.

> Please advise if there is any better alternative before I continue with
> that.
>
You are almost certainly best served by using the official openssh
packages in wheezy.

Regards,

-Roberto

-- 
Roberto C. Sánchez

Reply to:

Follow-Ups:
- Re: openssh_7.2p2+ availability for wheezy
  - From: Adam Weremczuk <adamw@matrixscience.com>

References:
- openssh_7.2p2+ availability for wheezy
  - From: Adam Weremczuk <adamw@matrixscience.com>

Prev by Date: openssh_7.2p2+ availability for wheezy
Next by Date: Re: openssh_7.2p2+ availability for wheezy
Previous by thread: openssh_7.2p2+ availability for wheezy
Next by thread: Re: openssh_7.2p2+ availability for wheezy
Index(es):
- Date
- Thread