On Wed, Sep 17, 2003 at 08:24:43AM +0300, Birzan George Cristian wrote: > According to the DSA, this is based on the 3.7 fix. OpenSSH's site lists > the only not vulnerable version as 3.7.1. In my mind, that means the ssh > version on security.debian.org right now is _STILL_ vulnerable. I'm not > a security expert, nor do I have time to actually see if that's true, > so, I'm asking the list if anyone can confirm/deny that. Yes, it seems like OpenSSH 3.7.1 appeared quickly after 3.7 (or 3.7 didn't really appear at all?) and fixed additional security bugs. The first debian patches did only contain patches from 3.7, not from 3.7.1, so ssh is still vulnerable. (But I did not check if all these vulnerabilities affect both woody and sid) So I guess we all have to upgrade again. Didn't see packages with patches derrived from 3.7.1, yet. Jan
Attachment:
signature.asc
Description: Digital signature