Woody ssh exploit

To: debian-security@lists.debian.org
Subject: Woody ssh exploit
From: Micah Anderson <micah@riseup.net>
Date: Thu, 22 Feb 2001 11:10:39 -0800
Message-id: <20010222111039.C18218@riseup.net>

We are currently running woody on a production machine (yes, I am not that
happy about that decision). Woody does not get potato's security updates,
and does not get new unstable security fixes in a timely fashion. This
leaves woody vulnerable to certain kinds of problems, particularly
distressing right now is the ssh security issue that is out there, which
woody does not have a fix for. Potato has a fix at
http://www.debian.org/security/2001/dsa-027

So how do we fix this on a woody machine? 

There are a few things that can be done, none of them very great. There is
the possibility of putting the potato package on our machine, but are there
are dependancy issues or problems downgrading a package from woody to
potato? What about when a fix does finally come available for woody, will it
be an issue to bring the potato package up to that woody upgrade? There is
the possibility of enabling protocol2 only on our ssh installation, which
would make us safe, but is only an interim fix until an update comes
available for woody, this an issue for people who cannot connect via
protocol 2, and an annoyance/education effort for those who connect via
protocol 1.

All of these aren't great. Unless I am wrong, currently there is no known
exploit for this hole, but that isn't that much of a reassurance either.

Thanks,
Micah

Reply to:

Follow-Ups:
- Re: Woody ssh exploit
  - From: Aaron Dewell <acd@woods.net>
- Re: Woody ssh exploit
  - From: Richard <ricv@denhaag.org>
- Re: Woody ssh exploit
  - From: Peter Cordes <peter@llama.nslug.ns.ca>

Prev by Date: Re: Mac most secure servers?
Next by Date: Re: Woody ssh exploit
Previous by thread: Re: publish a user & passwd: $1000 hack reward!
Next by thread: Re: Woody ssh exploit
Index(es):
- Date
- Thread