[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Woody ssh exploit

You could just recompile it yourself.  I don't even use any of the Debian
SSH packages anymore, they are mostly out-of-date anyway.  The current
SSH2 in woody is 2.0.13, for example.  I just download the source and
compile it myself for those kind of things.

There's another good point to that:  Anything that intimitely connected
with your system security should be done by hand anyway.

Actually, if someone wants to give me a hint on how to use the dpkg tool
to build things (never done it before!) and how to upload the compiled
versions, I'd re-contribute the packages.


On Thu, 22 Feb 2001, Micah Anderson wrote:
> We are currently running woody on a production machine (yes, I am not that
> happy about that decision). Woody does not get potato's security updates,
> and does not get new unstable security fixes in a timely fashion. This
> leaves woody vulnerable to certain kinds of problems, particularly
> distressing right now is the ssh security issue that is out there, which
> woody does not have a fix for. Potato has a fix at
> http://www.debian.org/security/2001/dsa-027
> So how do we fix this on a woody machine? 
> There are a few things that can be done, none of them very great. There is
> the possibility of putting the potato package on our machine, but are there
> are dependancy issues or problems downgrading a package from woody to
> potato? What about when a fix does finally come available for woody, will it
> be an issue to bring the potato package up to that woody upgrade? There is
> the possibility of enabling protocol2 only on our ssh installation, which
> would make us safe, but is only an interim fix until an update comes
> available for woody, this an issue for people who cannot connect via
> protocol 2, and an annoyance/education effort for those who connect via
> protocol 1.
> All of these aren't great. Unless I am wrong, currently there is no known
> exploit for this hole, but that isn't that much of a reassurance either.
> Thanks,
> Micah

Reply to: