Re: openssh_7.2p2+ availability for wheezy

[Adam Weremczuk <adamw@matrixscience.com>]

On 27/07/2017 15:53, Thorsten Glaser wrote:

> On Thu, 27 Jul 2017, Adam Weremczuk wrote:
>
> > These are the vulnerability I'm referring to and they have been addressed in
> > OpenSSH versions 6.6 and 7.2p2:
> That’s *upstream* version numbers. As Roberto said, the LTS team
> will take those changes (and *only* those security-related fixes),
> backport them to the old wheezy version and upload that regularily
> to the wheezy-security suite.
>
> So, just use these packages. They bear an old *upstream* version
> number and lack the new *upstream* features, but they have all
> the security fixes backported.
>
> bye,
> //mirabilos
Hi Thorsten,

Are you saying that if I:
- add
deb http://ftp.debian.org/debian wheezy-backports main
to /etc/apt/sources.list
- apt-get update
- apt-get upgrade openssh-server

I will have all security patches (ever implemented for openssh-server 
for any Debian distro) despite the version still reporting as 
1:6.0p1-4+deb7u6 ?

How to I hard prove it and convince the external company flagging it on 
our server?

Does their flagging mean they don't know how Debian security patching works?

Thanks
Adam