Re: Critical: ssh-nonfree IS exploited
On Sun, 11 Nov 2001, Wichert Akkerman wrote:
>...
> > Sice there is no security alert and since it is onliy fixed in 1.2.27-6.2 or
> > -7 we should warn our users explicitely. Especially sice it is not contained
> > within potato.
>
> non-free is not technically part of Debian potato.
You might be technically correct but IMHO the security of users running
Debian is more important. (and after looking at [1] I see that this
wouldn't be the first advisory for a non-free package)
> > Note: the reason why those production servers are still using non-free ssh
> > is, because a) OpenSSH isnt more secure (had a remote exploit before) and b)
> > upgrade is harder than expected. So we need to make nonfree more recent.
>
> Anyone who thinks openssh is not more secure needs to compare codebases :)
I don't disagree that OpenSSH might be more secure - but we shipped
ssh-nonfree in the non-free part of potato and people using it for
whatever reasons rely on us fixing security bugs (and people reading our
advisories will notice that there are security problems in the non-free
ssh, too).
> Wichert.
TIA
Adrian
[1] http://www.debian.org/security/2000/20000901
--
Get my GPG key: finger bunk@debian.org | gpg --import
Fingerprint: B29C E71E FE19 6755 5C8A 84D4 99FC EA98 4F12 B400
Reply to: