Bug#481106: marked as done (openssh-server: Please add ssh-vulnkey to help test for bad keys)

To: Colin Watson <cjwatson@debian.org>
Subject: Bug#481106: marked as done (openssh-server: Please add ssh-vulnkey to help test for bad keys)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Wed, 14 May 2008 01:06:04 +0000
Message-id: <[🔎] handler.481106.D481106.121072712510807.ackdone@bugs.debian.org>
References: <20080514010518.GH16645@riva.ucam.org> <[🔎] 20080513180513.5812.3681.reportbug@malaysia.xtronics.network>

Your message dated Wed, 14 May 2008 02:05:19 +0100
with message-id <20080514010518.GH16645@riva.ucam.org>
and subject line Re: Bug#481106: openssh-server: Please add ssh-vulnkey to help test for bad keys
has caused the Debian Bug report #481106,
regarding openssh-server: Please add ssh-vulnkey to help test for bad keys
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
481106: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=481106
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: openssh-server: Please add ssh-vulnkey to help test for bad keys

From: Karl Schmidt <karl@xtronics.com>

Date: Tue, 13 May 2008 13:05:13 -0500

Message-id: <[🔎] 20080513180513.5812.3681.reportbug@malaysia.xtronics.network>
Package: openssh-server
Version: 1:4.3p2-9
Severity: important

The fix for bug 363516 fails to include ssh-vulnkey that is in the ubuntu version.

(See http://www.ubuntu.com/usn/usn-612-2 )

The seriousness of this bug means that a method for testing for the vulenability 
is important to include with the fix.

Perhaps it would be a good idea to run ssh-vulnkey as part of the update process?
--- End Message ---

--- Begin Message ---

To: 481106-done@bugs.debian.org

Subject: Re: Bug#481106: openssh-server: Please add ssh-vulnkey to help test for bad keys

From: Colin Watson <cjwatson@debian.org>

Date: Wed, 14 May 2008 02:05:19 +0100

Message-id: <20080514010518.GH16645@riva.ucam.org>

In-reply-to: <[🔎] 20080513180513.5812.3681.reportbug@malaysia.xtronics.network>

References: <[🔎] 20080513180513.5812.3681.reportbug@malaysia.xtronics.network>
On Tue, May 13, 2008 at 01:05:13PM -0500, Karl Schmidt wrote:
> Package: openssh-server
> Version: 1:4.3p2-9
> Severity: important
> 
> The fix for bug 363516 fails to include ssh-vulnkey that is in the ubuntu version.

The update just hasn't made it into the Debian stable-security queue yet
for awkward reasons. It's in Debian unstable, and will be in
stable-security as soon as the security team manages to get it
published. Filing bugs won't make it happen faster. :-)

> (See http://www.ubuntu.com/usn/usn-612-2 )

Note that I was involved in both the Debian and Ubuntu sides of this
process, and applied identical changes to both distributions.

> Perhaps it would be a good idea to run ssh-vulnkey as part of the
> update process?

It does for host keys. It's not practical to do for user keys (and not
remotely obvious what could automatically be done about it), but the
upgrade does recommend it.

Cheers,

-- 
Colin Watson                                       [cjwatson@debian.org]
--- End Message ---

Reply to:

References:
- Bug#481106: openssh-server: Please add ssh-vulnkey to help test for bad keys
  - From: Karl Schmidt <karl@xtronics.com>

Prev by Date: Re: upload the latest openssh to security.debian.org?
Next by Date: Re: Accepted openssh 1:4.7p1-9 (source all i386)
Previous by thread: Bug#481106: openssh-server: Please add ssh-vulnkey to help test for bad keys
Next by thread: upload the latest openssh to security.debian.org?
Index(es):
- Date
- Thread