Re: Ssh2-packet still secure?

To: Johan C <jc@slashpuppy.net>
Cc: packages@qa.debian.org
Subject: Re: Ssh2-packet still secure?
From: Colin Watson <cjwatson@debian.org>
Date: Tue, 16 Sep 2003 21:32:00 +0100
Message-id: <[🔎] 20030916203200.GA29896@riva.ucam.org>
In-reply-to: <[🔎] 000001c37c81$bf99a9d0$0100a8c0@isabella>
References: <[🔎] 000001c37c81$bf99a9d0$0100a8c0@isabella>

On Tue, Sep 16, 2003 at 08:38:39PM +0200, Johan C wrote:
> I use ssh2 (2.0.13-7) on my webserver. As far as I can see this packet has
> not been updated since Sat, 15 Dec 2001 12:43:25 +0000. My question is if
> this packet is still considered secure and reliable to use after all
> OpenSSH-bugs, since it's not updated for almost 2 years, or is that because
> it's considered outdated?

The ssh2 package was the non-free ssh.com version of SSH, not OpenSSH.
We removed it from Debian testing and unstable some time ago, and the
last version uploaded to Debian was a long way behind ssh.com's version
even then. I would be astonished if it didn't have a number of security
holes. Notwithstanding today's OpenSSH vulnerability, I still very
strongly recommend that you stop using ssh2 and switch to ssh.

See also http://lists.debian.org/debian-qa-0209/msg00038.html.

(QA group: should we ask for ssh2 to be removed from stable as well? I
don't think the project can reasonably support it at this point.)

Cheers,

-- 
Colin Watson                                  [cjwatson@flatline.org.uk]

Reply to:

Follow-Ups:
- Re: Ssh2-packet still secure?
  - From: Colin Watson <cjwatson@debian.org>

References:
- Ssh2-packet still secure?
  - From: "Johan C" <jc@slashpuppy.net>

Prev by Date: Processing of libmail-bulkmail-perl_3.09-1_i386.changes
Next by Date: Re: Ssh2-packet still secure?
Previous by thread: Ssh2-packet still secure?
Next by thread: Re: Ssh2-packet still secure?
Index(es):
- Date
- Thread