Re: Wheezy update of openssh?

To: Guido Günther <agx@sigxcpu.org>, Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>, Debian LTS <debian-lts@lists.debian.org>
Subject: Re: Wheezy update of openssh?
From: Ola Lundqvist <ola@inguza.com>
Date: Tue, 9 Aug 2016 12:14:51 +0200
Message-id: <[🔎] CABY6=0kcJuG_iaByFD=GFC=HJeFt=1OHmb2w=4oFe-bXo=9PxQ@mail.gmail.com>
In-reply-to: <[🔎] 20160809050724.GA7391@bogon.m.sigxcpu.org>
References: <[🔎] 20160809050724.GA7391@bogon.m.sigxcpu.org>

Hi OpenSSH Maintainers and LTS team

I have prepared an update for wheezy now.

You can find the debdiff here:
http://apt.inguza.net/wheezy-security/openssh/openssh.debdiff

And the prepared package here:
http://apt.inguza.net/wheezy-security/openssh/

I have regression tested the package by installing it and checked that
I can still log in (using password, not key).

I also reproduced the problem by entering a very long password (> 1024
characters) and I was denied. Whether that was because it did not
calculate the hash or not is hard to tell. I was not allowed to enter
such a long password by passwd command.

I will upload the correction in four days (that is on Friday) unless
anyone objects.

Best regards

// Ola


On Tue, Aug 9, 2016 at 7:07 AM, Guido Günther <agx@sigxcpu.org> wrote:
> Hello dear maintainer(s),
>
> the Debian LTS team would like to fix the security issues which are
> currently open in the Wheezy version of openssh:
> https://security-tracker.debian.org/tracker/CVE-2016-6515
>
> Would you like to take care of this yourself?
>
> If yes, please follow the workflow we have defined here:
> https://wiki.debian.org/LTS/Development
>
> If that workflow is a burden to you, feel free to just prepare an
> updated source package and send it to debian-lts@lists.debian.org
> (via a debdiff, or with an URL pointing to the source package,
> or even with a pointer to your packaging repository), and the members
> of the LTS team will take care of the rest. Indicate clearly whether you
> have tested the updated package or not.
>
> If you don't want to take care of this update, it's not a problem, we
> will do our best with your package. Just let us know whether you would
> like to review and/or test the updated package before it gets released.
>
> Thank you very much.
>
> Guido Günther,
>   on behalf of the Debian LTS team.
>
> PS: A member of the LTS team might start working on this update at
> any point in time. You can verify whether someone is registered
> on this update in this file:
> https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup
>



-- 
 --- Inguza Technology AB --- MSc in Information Technology ----
/  ola@inguza.com                    Folkebogatan 26            \
|  opal@debian.org                   654 68 KARLSTAD            |
|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /
 ---------------------------------------------------------------

Reply to:

References:
- Wheezy update of openssh?
  - From: Guido Günther <agx@sigxcpu.org>

Prev by Date: Processed: notfound 833823 in 1:7.3p1-1
Next by Date: Processed: found 833823 in 1:6.0p1-4
Previous by thread: Wheezy update of openssh?
Next by thread: Bug#833823: CVE-2016-6515: CPU consumption via auth_password
Index(es):
- Date
- Thread