Re: Ssh2-packet still secure?
On Tue, Sep 16, 2003 at 08:38:39PM +0200, Johan C wrote:
> I use ssh2 (2.0.13-7) on my webserver. As far as I can see this packet has
> not been updated since Sat, 15 Dec 2001 12:43:25 +0000. My question is if
> this packet is still considered secure and reliable to use after all
> OpenSSH-bugs, since it's not updated for almost 2 years, or is that because
> it's considered outdated?
The ssh2 package was the non-free ssh.com version of SSH, not OpenSSH.
We removed it from Debian testing and unstable some time ago, and the
last version uploaded to Debian was a long way behind ssh.com's version
even then. I would be astonished if it didn't have a number of security
holes. Notwithstanding today's OpenSSH vulnerability, I still very
strongly recommend that you stop using ssh2 and switch to ssh.
See also http://lists.debian.org/debian-qa-0209/msg00038.html.
(QA group: should we ask for ssh2 to be removed from stable as well? I
don't think the project can reasonably support it at this point.)
Colin Watson [email@example.com]