Re: openssh-server for stable has CVE vulnerability

To: schwart@riseup.net
Cc: matthew@debian.org, debian-ssh@lists.debian.org
Subject: Re: openssh-server for stable has CVE vulnerability
From: Colin Watson <cjwatson@debian.org>
Date: Wed, 31 Jan 2024 08:58:52 +0000
Message-id: <[🔎] ZboLzGmx7RrN18Ru@riva.ucam.org>
Mail-followup-to: schwart@riseup.net, matthew@debian.org, debian-ssh@lists.debian.org
In-reply-to: <[🔎] dbffb93496666d3b1657b6d4ddf3e24a@riseup.net>
References: <[🔎] dbffb93496666d3b1657b6d4ddf3e24a@riseup.net>

On Wed, Jan 31, 2024 at 08:19:41AM +0000, schwart@riseup.net wrote:
> I'm a longterm debian user but seeing latest security fix is not
> delivered - Should I start using `sid` for everything now??

https://security-tracker.debian.org/tracker/source-package/openssh shows
only one open CVE of any importance, for which no fix exists anywhere to
my knowledge (it's mainly a hardware issue, so OpenSSH can't really fix
it although it's possible that some form of mitigation might be
developed; but in any case that would have to be done upstream first).
The rest are all either fixed in stable or unimportant for one reason or
another, which you can usually find if you click through to the CVE ID
in question.  There are no differences in CVE coverage right now between
stable and unstable as far as I know.

Is there a particular CVE that you're concerned about?  Note that
third-party scanners often report false positives because they work
purely in terms of upstream versions and don't understand that
distributions often backport fixes.

-- 
Colin Watson (he/him)                              [cjwatson@debian.org]

Reply to:

References:
- openssh-server for stable has CVE vulnerability
  - From: schwart@riseup.net

Prev by Date: openssh-server for stable has CVE vulnerability
Previous by thread: openssh-server for stable has CVE vulnerability
Index(es):
- Date
- Thread