Re: security report
On Mon, Jul 02, 2001 at 11:41:30AM -0400, Faheem Mitha wrote:
>
> Dear Debian People,
>
> I got the following security audit of a machine I recently installed
> Debian 2.2r3 on. I have run apt-get update and apt-get upgrade on it. The
> most serious problem appears to be with ssh. What should I do about this,
> if anything?
>
> Should I upgrade to a more recent version of ssh from testing? The current
> version of Openssh1.is at 1.2.3-9.3 and the most recent version is 2.9. In
> any case, I thought security vulnerabilities were supposed to be fixed in
> stable.
If you look at the changelog for ssh (which will be installed as
/usr/share/doc/ssh/changelog.Debian.gz) youll see that the version
you are currently using contains the necessary security patch
(backported from the 1.2.32 version as listed in this "report").
Debian has a (very good) habit of back-porting any necessary security fixes
to the currently used version rather than upgrading the package to the
latest upstream version. Why? Because this gives greater confidence that
the security issue will be resolved without introducing any other bugs.
As for the other issues you can modify /etc/inetd.conf to remove most of these
if you care. Whether or not this is worth doing depends upon whether these
services are of any use to you (unlikely) and just how paranoid you require to be
with the machine in question.
Hope this answers your question,
Derek
Reply to: