On May 17, 2008, at 1:34 PM, Matteo Vescovi wrote:
are there updates for this issue for old stable - sarge?It was said sarge is not affected,
Bear in mind that you still want blacklist support for the various tools, not just for the known_hosts and authorized_keys; but also for people who move their identify files around, generate the web/mail server's their x509 cert (request) on a laptop/off-line prior to moving it onto the server and so on*.
Dw.*: I found about a 1 to 3901 ratio between affected and non-affected keys out of about 50k ssh-keys and 21k x509's (using the not yet complete lists!) in an environment which is virtually only Windows, MacOSX and FreeBSD. I think it is reasonable to assume that this is fairly common - hence you want
these blacklist tools on a wider range of platforms/OS-es.