Bug#481446: closed by Colin Watson <cjwatson@debian.org> (Re: Bug#481446: openssh-server: openssh does not start complaining about comprimised keys with new generated keys)
"I don't know how you managed it (given that openssh-server depends on a
good enough version; perhaps you have it on hold or something?), but
that version of libssl0.9.8 is absolutely vulnerable. You need to
upgrade to 0.9.8g-9 or newer."
I'm having the same problem on 64bit etch - apt-get dist-upgrade shows
no updates, but the host keys generated are still listed as
compromised.
apt-cache showpkg openssh-server
Versions:
1:4.3p2-9etch2
1:4.3p2-9
apt-cache showpkg openssl:
Versions:
0.9.8c-4etch3
0.9.8c-4etch1
dpkg -l libssl0.9.8:
Version 0.9.8g-4
sshd:
OpenSSH_4.3p2 Debian-9etch2, OpenSSL 0.9.8g
kernel:
2.6.18-5-amd64
Reply to: