[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian packagename equivalents.

On Wed, May 14, 2003 at 04:09:07PM -0400, Haines Brown wrote:
> It went through the motions to select among over 200 sitse, and I
> thought no more of it. However, it actually cleaned out my brief
> sources.list except for the security updates URL. When I put URL in
> there useful for ordinary packages, I installed ssh2 without a
> hitch.

Don't install ssh2 - really, I mean it, unless you have incredibly
specific requirements. I was the last person to do anything to it, so I
have some idea of the problems involved. The Debian package had no
serious work done on it between early 2000 and late 2001, and none at
all since December 2001. It's considerably out of date with upstream.
While we've had no actual reports of vulnerabilities there as far as I
can recall, it would not surprise me if there were possible attacks
against that version of ssh2, and I would certainly not run it on a
production system.

We've since removed ssh2 from the testing and unstable distributions of
Debian. I strongly recommend using ssh instead, which is OpenSSH, so has
the additional bonus over ssh2 of being free-as-in-speech software.


Colin Watson                                  [cjwatson@flatline.org.uk]

Reply to: