[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#474301: openssh: new upstream version (5.1p1)

On Tue, Jul 22, 2008 at 11:49:42PM +0300, Teodor wrote:
> On Tue, Jul 22, 2008 at 5:22 AM, Kris Shannon <kris@shannon.id.au> wrote:
> > OpenSSH has now released another new version - 5.1
> >
> > http://www.openssh.com/txt/release-5.1
> 
> Please note the security advisory (might be applicable):
> ----
>    Portable OpenSSH 5.1 avoids this problem for all operating systems
>    by not setting SO_REUSEADDR when X11UseLocalhost is set to no.
> ----

Read the release announcement in full to discover that it is not
applicable:

 * sshd(8): Avoid X11 man-in-the-middle attack on HP/UX (and possibly
   other platforms) when X11UseLocalhost=no

[...]

   Modern BSD operating systems, Linux, OS X and Solaris implement the
   above checks and are not vulnerable to this attack, nor are systems
   where the X11UseLocalhost has been left at the default value of
   "yes".

> Colin, although you planned to package 5.0p1 please take a look at
> 5.1p1. Considering a recent message from the release team, it is
> enough to make it to unstable until the freeze and it will be included
> in lenny.

Indeed; I already have 5.1p1 merged into my local tree and am in the
middle of testing it. The reason I hadn't done it before now is that I
was trying to ensure that we had a stable version of 4.7p1 as a fallback
following all the upheaval with the OpenSSL random number generator
vulnerability.

Cheers,

-- 
Colin Watson                                       [cjwatson@debian.org]
Reply to: