On tongersdei 18 Maart 2010, Colin Watson wrote: > On Wed, Mar 10, 2010 at 11:56:39AM -0600, Alicia Smith wrote: > > I would like to know if the latest Lenny package is vulnerable as > > indicated in CVE-2006-4925. > > > > The security-tracker is showing conflicting information and I can't seem > > to find a bug-report on this. > > This vulnerability was fixed upstream in OpenSSH 4.4p1. Lenny has > OpenSSH 5.1p1, which includes this fix. > > I'm not sure we ever issued a DSA for this, and I apparently didn't > record it in the package changelog, so CCing security@d.o in case some > bit of tracking metadata needs to be updated somewhere. This CVE is considered a non-issue by us as can be seen near the bottom of the security-tracker page. I can understand that the word 'vulnerable' suggests that something needs to be done, but that isn't the case here. We are not the only ones to mark it as unimportant, see e.g. the vendor statement by Red Hat: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-4925 cheers, Thijs
Attachment:
signature.asc
Description: This is a digitally signed message part.