Re: [d-security] Re: DSA-134-1

To: Wichert Akkerman <wichert@wiggy.net>
Cc: Debian Security <debian-security@lists.debian.org>, Christian Hammers <ch@westend.com>
Subject: Re: [d-security] Re: DSA-134-1
From: Tim Haynes <debian@stirfried.vegetable.org.uk>
Date: 27 Jun 2002 09:12:41 +0100
Message-id: <[🔎] 86d6udkume.fsf@potato.vegetable.org.uk>
Reply-to: debian-reply@stirfried.vegetable.org.uk
In-reply-to: <[🔎] 20020627074202.GA9384@wiggy.net>
References: <[🔎] 814053EA-87C9-11D6-AC16-00039355CFA6@suespammers.org> <[🔎] 20020624232846.GH28956@wiggy.net> <[🔎] 87r8ivfs1o.fsf@CERT.Uni-Stuttgart.DE> <[🔎] 87ptye6jiy.fsf@CERT.Uni-Stuttgart.DE> <[🔎] 20020626174234.GA20493@westend.com> <[🔎] 20020627074202.GA9384@wiggy.net>

Wichert Akkerman <wichert@wiggy.net> writes:

> Previously Christian Hammers wrote:
>
> > Don't be too hard to him, if he'd pointed out that only default BSD is
> > vulnerable it would not have been too hard to find the exploit before
> > everybody had updated.
> 
> He could have mentioned ssh protocol 1 wasn't vulnerable..

At the very least.

I'm trying not to think how many Debian policies have been bent because of
"oh no! it's ssh!"-factor - porting a protocol-2-enabled *new feature* down
to Stable with the resultant paragraphs on `create a proto-2 keypair' and
`these are untested' in the DSA causes inconvenience to folks running
Stable+Secure boxes, in addition to those of us using Testing but keeping
an eye on DSAs.
And we're all going to have to upgrade again when 3.4 comes out properly as
it is...

Could I suggest that `until we're told what it is, there is no problem' be
considered as an approach? ;/

~Tim
-- 
<http://spodzone.org.uk/>

-- 
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

Follow-Ups:
- Re: [d-security] Re: DSA-134-1
  - From: Phillip Hofmeister <plhofmei@zionlth.org>

References:
- DSA-134-1
  - From: Anthony DeRobertis <asd@suespammers.org>
- Re: DSA-134-1
  - From: Wichert Akkerman <wichert@wiggy.net>
- Re: DSA-134-1
  - From: Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE>
- Re: DSA-134-1
  - From: Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE>
- Re: [d-security] Re: DSA-134-1
  - From: Christian Hammers <ch@westend.com>
- Re: [d-security] Re: DSA-134-1
  - From: Wichert Akkerman <wichert@wiggy.net>

Prev by Date: Re: PermitRootLogin enabled by default
Next by Date: OpenSSH vuln: BSD only?
Previous by thread: Re: [d-security] Re: DSA-134-1
Next by thread: Re: [d-security] Re: DSA-134-1
Index(es):
- Date
- Thread