Re: debian potato's SSH not affected by SSH bug?
On Wed, Jun 26, 2002 at 02:10:58PM -0500, Dave Sherohman wrote:
> Would the security team please issue an official update to the
> advisory indicating whether, now that further information on the
> vulnerability has been released, existing (pre-3.3) debian ssh
> packages are believed to be affected?
I think it's safe to say that there will be more information from the
security team as more information becomes clear. While my understanding
is that at least OpenSSH 3.0.2 in woody/sid was not affected by the
specific vulnerability that was announced today, it's not yet obvious
that only one vulnerability was involved, and, let's face it, Debian has
not exactly had the benefit of lots of advance information up to now. In
these circumstances, don't expect the security team to be quick about
claiming potato isn't vulnerable.
It might be worth considering that updating OpenSSH 1.2.3 was perhaps
long overdue anyway: 1.2.3 is very old code and hasn't had a great deal
of auditing recently. That's not to say that anyone is pleased about
having to push out such a rushed update in a way that skates very close
to the edges of how stable is intended to be managed.
--
Colin Watson [cjwatson@flatline.org.uk]
--
To UNSUBSCRIBE, email to debian-user-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: