[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Woody ssh exploit


I'm running woody but I have security.debian.org stable in my 
apt sources.list file:

   deb http://ftp.debian.org/debian woody main contrib non-free
   deb http://non-us.debian.org woody/non-US main contrib non-free
   deb http://security.debian.org stable/updates main contrib non-free
   deb http://spidermonkey.helixcode.com/distributions/debian woody main

As a result "dpkg -s ssh" yields:

   Package: ssh
   Status: install ok installed
   Priority: optional
   Section: non-US/main
   Installed-Size: 503
   Maintainer: Philip Hands <phil@hands.com>
   Source: openssh
   Version: 1:1.2.3-9.2

And  "zcat  /usr/share/doc/ssh/changelog.Debian.gz | head" yields:

openssh (1:1.2.3-9.2) stable; urgency=high

  * Non-maintainer upload by Security Team
  * Added backported fix for a buffer overflow (thanks to Piotr
  * Added modified build dependencies from unstable for convenience
  * Added patch that fixes an rsa key exchange problem made public by CORE 

which is the fixed version mentioned in the security alert.

Am I missing something here?  I thought the security fix was


Quoting Richard (ricv@denhaag.org):
> On Thu, 22 Feb 2001, Micah Anderson wrote:
> > Potato has a fix at
> > http://www.debian.org/security/2001/dsa-027
> > 
> > So how do we fix this on a woody machine? 
> You could build it from the source pkg's. 
> put some deb-src lines in y'r /etc/apt/sources.list 
> apt-get (-b)  source xxxx
> btw. howdo these 'Build-Depends' work?
> I alway find myself fetching, building, install additional pkgs by hand.
> [RicV]

Reply to: