[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#463011: [openssh-unix-announce] Announce: OpenSSH 5.0 released

Damien Miller wrote:
>We apologise for any inconvenience resulting from this release
>being made so shortly after 4.9. Unfortunately we only learned of
>the below security issue from the public CVE report. The Debian
>OpenSSH maintainers responsible for handling the initial report of
>this bug failed to report it via either the private OpenSSH security
>contact list (openssh@openssh.com) or the portable OpenSSH Bugzilla
>We ask anyone wishing to report security bugs in OpenSSH to please use
>the openssh@openssh.com contact and to practice responsible disclosure.

My apologies for this; after having been in a very busy period at work
for some time, I was dealing with the bug in a rush immediately before
going on holiday for a week, and a comment on the bug by that point
indicated that it had already been forwarded to Theo DeRaadt. Since that
sounded vaguely reasonable and I was short on time, I didn't think to
check further.

(The bug log indicates that a member of Red Hat's Security Response Team
was also aware of the same problem.)

Colin Watson                                       [cjwatson@debian.org]

Reply to: