On Sun, Oct 21, 2001 at 04:41:17PM -0500, Mike Renfro wrote: > On Fri, Oct 19, 2001 at 03:26:18PM -0800, Ethan Benson wrote: > > On Fri, Oct 19, 2001 at 06:06:34PM -0400, ahall@secureworks.net wrote: > > > Has debian released a new ssh dpkg yet? > > > > no > > If this is about the buffer overflow exploit that's supposed to be > going around now, wasn't this fixed in the following: well i assumed he was referring to the OpenSSH2 problems with authorized_keys2 among others fixed in 2.9.9p2. while this is not relevant to stable it does affect unstable users, and the sid ssh packages are still not updated to 2.9.9p2. this is not the responisibility of the security team of course. there is also the so called traffic analysis problems which stable ssh has no workarounds for. (there are patches to counteract that problem). > openssh (1:1.2.3-9.2) stable; urgency=high > > * Non-maintainer upload by Security Team > * Added backported fix for a buffer overflow (thanks to Piotr > Roszatycki) > * Added modified build dependencies from unstable for convenience > * Added patch that fixes an rsa key exchange problem made public by CORE > SDI. > > -- Martin Schulze <joey@debian.org> Thu, 8 Feb 2001 22:15:04 +0100 > > If it's a different exploit entirely, please ignore. > > -- > Mike Renfro / R&D Engineer, Center for Manufacturing Research, > 931 372-3601 / Tennessee Technological University -- renfro@tntech.edu > > > -- > To UNSUBSCRIBE, email to debian-security-request@lists.debian.org > with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org > -- Ethan Benson http://www.alaska.net/~erbenson/
Attachment:
pgpxIgKG_svd5.pgp
Description: PGP signature