[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [d-security] Re: ssh vulnerability in the wild

On Tue, Sep 16, 2003 at 01:10:34PM -0400, Dossy wrote:
> On 2003.09.16, Christian Hammers <ch@debian.org> wrote:
> > The new version has already been installed. This was quick. Good work,
> > security team.
> > 
> >  openssh (1:3.4p1-1.1) stable-security; urgency=high
> > 
> >   * NMU by the security team.
> >   * Merge patch from OpenBSD to fix a security problem in buffer handling
> > 
> >  -- Wichert Akkerman <wakkerma@debian.org>  Tue, 16 Sep 2003 13:06:31 +0200
> 
> Is 3.6.1p2-3 vulnerable?  For those of us who want security, must we
> downgrade to 3.4p1-1.1 or build from source after patching by hand?  Or
> will this security fix be applied to sarge as well?

It's not routine practice, but assuming glibc doesn't suddenly get fixed
in the next couple of days, I expect to upload a fixed openssh to
testing-proposed-updates once the dust settles. That should be able to
get into testing fairly quickly.

-- 
Colin Watson                                  [cjwatson@flatline.org.uk]
Reply to: