Re: security report
Faheem Mitha <faheem@email.unc.edu> writes:
> I got the following security audit of a machine I recently installed
> Debian 2.2r3 on. I have run apt-get update and apt-get upgrade on it. The
> most serious problem appears to be with ssh. What should I do about this,
> if anything?
>
> Should I upgrade to a more recent version of ssh from testing? The current
> version of Openssh1.is at 1.2.3-9.3 and the most recent version is 2.9. In
> any case, I thought security vulnerabilities were supposed to be fixed in
> stable.
Security problems in stable packages are often fixed by back-porting
changes from later versions. Hence just looking at the version number
of a package is in many cases an inadequate way of determining whether
it (still) contains a certain security hole. It is best to look at
the change logs. AFAIK, the problem you refer to was addressed by
DSA-027 <URL:http://www.debian.org/security/2001/dsa-027>.
If you have security.debian.org in your sources.list the fix should
have been installed when you apt-got.
--
Leonard Stiles <ljs@uk2.net>
Reply to: