Re: Which ssh should I have?
In message <[🔎] 20011107143412.K56083@g7-mac10.fy.chalmers.se>, Ville Uski writes:
>* jigal <hangoor@xs4all.nl> [011107 14:20]:
>> But I found this in the archives of the security mailinglist:
>> http://lists.debian.org/debian-security/2001/debian-security-200102/msg00138
>.html
>>
>> The previous mail in the thread references to:
>> http://razor.bindview.com/publish/advisories/adv_ssh1crc.html
>>
>> Which is the vuln in question.
>
>Hm, why should I do that? Is my admin right when he thinks that my
>current sshd is vulnerable? I have the latest stable precompiled
>package, i.e. the default ssh installed.
Make sure that you have the security site in your /etc/apt/sources.list file.
If you do, and apt-get update; apt-get upgrade says you're up to date, then
you're fine. In general, the security team patches the current version to
fix security bugs in stable rather than upgrade to a newer version. That
could be confusing your sysadmin. The CRC bug was patched in debian as of
ssh version 1.2.3-9.2. You can look at the changelog in
/usr/share/doc/ssh/changelog.Debian.gz for specific information.
--
Ted Cabeen http://www.pobox.com/~secabeen ted@impulse.net
Check Website or Keyserver for PGP/GPG Key BA0349D2 secabeen@pobox.com
"I have taken all knowledge to be my province." -F. Bacon secabeen@cabeen.org
"Human kind cannot bear very much reality."-T.S.Eliot cabeen@netcom.com
Reply to: