Bug#506115: openssh: Plaintext Recovery Attack Against SSH
On Tue, Nov 18, 2008 at 10:44:02PM +0900, Hideki Yamane wrote:
> package: openssh
> servity: grave
> tag: security upstream
> Hi OpenSSH package maintainers (and lists),
> I saw new OpenSSH vulnerability issue.
> See http://www.cpni.gov.uk/Docs/Vulnerability_Advisory_SSH.txt
> It says
> "The attack was verified against the following product version running on Debian GNU/Linux:
> - OpenSSH 4.7p1
> Other versions are also affected. Other implementations of the SSH
> protocol may also be affected."
> and upstream was reported this issue by CPNI (they say). IMHO, we should
> contact to upstream and wait to be put a solution from them.
I'm aware of this and would be absolutely astonished if upstream
weren't; I'm keeping an eye on CVS for an update.
Colin Watson [email@example.com]