[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Ssh2-packet still secure?

On Tue, Sep 16, 2003 at 08:38:39PM +0200, Johan C wrote:
> I use ssh2 (2.0.13-7) on my webserver. As far as I can see this packet has
> not been updated since Sat, 15 Dec 2001 12:43:25 +0000. My question is if
> this packet is still considered secure and reliable to use after all
> OpenSSH-bugs, since it's not updated for almost 2 years, or is that because
> it's considered outdated?

The ssh2 package was the non-free ssh.com version of SSH, not OpenSSH.
We removed it from Debian testing and unstable some time ago, and the
last version uploaded to Debian was a long way behind ssh.com's version
even then. I would be astonished if it didn't have a number of security
holes. Notwithstanding today's OpenSSH vulnerability, I still very
strongly recommend that you stop using ssh2 and switch to ssh.

See also http://lists.debian.org/debian-qa-0209/msg00038.html.

(QA group: should we ask for ssh2 to be removed from stable as well? I
don't think the project can reasonably support it at this point.)


Colin Watson                                  [cjwatson@flatline.org.uk]

Reply to: