[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: password expire and sshd doesn't allow ppl to change it

On Sun, Sep 23, 2001 at 06:39:37PM +0300, Ilkka Tuohela wrote:
> Quite true. Only thing which could cause this is that there were a severe
> security flaw found with version of ssh for potato, for which a patch were
> not available and only way to fix the bug were to upgrade to the 2.9 
> version. This is really unprobable, anyway.

nope the security team would backport the fix.  the only time they
don't do that is if the fix is so complicated and ingrained in the 2.x
series that backporting would be more risky and problematic then a new

about the only package that quailifies there is gnupg, the security
team doesn't backport fixes to that package generally, but the new
upstreams only fix the security holes anyway so backporting them would
be roughly equivilent to new upstream minus new version number..

> One thing users of these custom packages must remember is that their 
> system now has something which is not supported: if a security flaw
> were found from openssh 2.9xx which doesn't exist in potato version
> the user must compile a new version by themselves, it's never upgraded
> with apt-get upgrade from official servers. 

indeed.  you have to be cautious with how many packages you backport
and start monitoring them yourselves.  though keeping an eye on
security problems is a good idea anyway since debian sometimes doesn't
make security updates, or takes waaaay to long.

proposed-updates has a potato libc update with only a security related
change thats been there for months, also there is a procmail in
proposed-updates fixing a signal vulnerability (root hole most likely
since its setuid root by default), its been there for quite a while
now.  w3m has a hole thats only been silently fixed in i386
security.debian.org (perhaps others, powerpc has an uninstallable

Ethan Benson

Attachment: pgpwsCyh83R5u.pgp
Description: PGP signature

Reply to: