RE: Vulnerable SSH versions
I will gladly grant that the tar file may not exist for the boot
floppies, and that I do not have on hand the CD to check it. It also may
have been a Potato(e) phenominon, no longer in use. However, it did
exist.
Which makes me wonder, why ship Woody with 2.2.20 at all? Oh well, not
my decision.
I'm not sure that the problem is the 2.2.x modules "being found" by the
2.4.x modutils, I had the distinct impression that they were just "still
included" for some reason. However, again to my shame, I have not the
machine accessable to check.
However, this is way off topic no matter how interesting. Thanks to
everyone for their help and advice, we shall see.
Curt-
-----Original Message-----
From: Henrique de Moraes Holschuh [mailto:hmh@debian.org]
Sent: Tuesday, November 13, 2001 09:53
To: Howland, Curtis
Cc: debian-security@lists.debian.org
Subject: Re: Vulnerable SSH versions
On Tue, 13 Nov 2001, Howland, Curtis wrote:
> The tar file that contains the "base" Woody install, which is used as
> the jumping off point for installation.
There isn't one, at least not for bootflopies. We use debootstrap to
fetch
the most up-to-date packages of that distribution and install them, not
a
tarball.
> As far as the change from 2.2.x to 2.4.x, if you don't think it was
all
> that confusing then you don't use pcmcia services. The 2.2.x kernel
That looks like a quite bad usability bug on the pcmcia-related packages
to
me, but I have not looked deeply (read: not at all) into the problem.
> modules are all still there, but they no longer work. That means that
> not only do you need to find out the new modules names, you have to
> ensure you don't use any of the old ones.
The 2.2.x modules should not be kept somewhere the 2.4 kernels will find
them. This is certainly a big problem.
> Seriously flawed, IMNSHO, and very confusing. It also led to a version
> conflict with modutils, where I had to boot back into 2.2.x in order
to
> install modutils v2.4.10. I still get error messages from modutils on
> both boot-up and shutdown about version conflicts and missing modules.
Please file bugs against the appropriate packages, so as to have them
insure
they have a new-enough modutils, at the very least.
--
"One disk to rule them all, One disk to find them. One disk to bring
them all and in the darkness grind them. In the Land of Redmond
where the shadows lie." -- The Silicon Valley Tarot
Henrique Holschuh
Reply to: