nate wrote:
i sent a message to bugtraq a couple minutes ago asking the people on the list if any other versions were tested. hoping that it gets approved, usually takes a few hours or a day to make it through. but the way I read the advisory debian potato's SSH should not be vulnerable to this bug. which would be great news to me. the advisory only mentions openssh 3.0 and up being possibly affected. no mention of any other versions being vulnerable or not vulnerable, and no mention of any other versions that were tested. so i'm keepin my hopes up and my firewalls tight in the meantime !
No, potato's ssh packages are vunlerable and updates have been made available; DSA-134 contains all the necessary information: http://www.debian.org/security/2002/dsa-134.
Note that the upgraded openssh packages require update openssl packages; it looks like the new openssl packages will co-exist with the older version that shipped with potato, but I no longer have any potato systems so YMMV.
Phil ps: it's great to be back on debian-user once again! --To UNSUBSCRIBE, email to debian-user-request@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org