Re: not in sid yet? - CERT Advisory CA-2003-24 Buffer Management Vulnerability in OpenSSH

To: debian-user@lists.debian.org
Subject: Re: not in sid yet? - CERT Advisory CA-2003-24 Buffer Management Vulnerability in OpenSSH
From: Chema <chema.news.gmane@zarco.cjb.net>
Date: Fri, 14 Nov 2003 00:54:00 -0600
Message-id: <[🔎] 20031114005400.00000b3f.chema.news.gmane@zarco.cjb.net>
References: <[🔎] pan.2003.11.13.00.40.34.957413@yahoo.com> <[🔎] 1068759608.21448.5.camel@king.gregfolkert.net>

On Thu, 13 Nov 2003 16:40:08 -0500
Greg Folkert <greg@gregfolkert.net> wrote:

GF> On Wed, 2003-11-12 at 19:40, bruce edge wrote:
GF> > Looks like this is only available in woody:
GF> > http://www.cert.org/advisories/CA-2003-24.html
GF> > http://www.debian.org/security/2003/dsa-382
GF> > http://www.debian.org/security/2003/dsa-383
GF> > 
GF> > Is there no fix for sid yet?
GF> 
GF> What do you mean, it has been fixed in the current version of ssh
GF> (3.6.1p2-9) The days they were announced there were fixes available
GF> (4 hours if I remember properly) (2 version increments in short
GF> order)

I think he means that there is no mention of Sid (nor Sarge) in any of the advisories, but only Woody.  DSAs let up to the user (well, more like apt-get) to find patched versions for test and unstable.  Why?

>From http://www.debian.org/security/faq#testing :

Q: How is security handled for testing and unstable?

A: The short answer is: it's not. Testing and unstable are rapidly moving targets and the security team does not have the resources needed to properly support those. If you want to have a secure (and stable) server you are strongly encouraged to stay with stable. However, the security secretaries will try to fix problems in testing and unstable after they are fixed in the stable release.

Also there:

Q: The version number for a package indicates that I am still running a vulnerable version!

A: Instead of upgrading to a new release we backport security fixes to the version that was shipped in the stable release. The reason we do this is to make sure that a release changes as little as possible so things will not change or break unexpectedly as a result of a security fix. You can check if you are running a secure version of a package by looking at the package changelog, or comparing its exact version number with the version indicated in the Debian Security Advisory.

So you don't need openssh 3.7.1 to be safe (from this, at least).  

Now, I'm new to Debian, I'm "unstabling" my system (so far, not good ;-), and would like some clarification, so please tell me if true, nil or void:

1. There are no "formal" security fixes for testing and unstable.
2. So the usual securing method is to wait for a patched or new version to get to your apt mirrors.
3. Even if you apt-get testing/unstable fixes from debian.org, fixes for stable will be well before in security.debian.org.
4. With how much difference?  Hours or days?
5. Where are equivalents of debian-security-announce for testing/unstable?

Thanks!

Reply to:

Follow-Ups:
- Re: not in sid yet? - CERT Advisory CA-2003-24 Buffer Management Vulnerability in OpenSSH
  - From: Greg Folkert <greg@gregfolkert.net>

References:
- not in sid yet? - CERT Advisory CA-2003-24 Buffer Management Vulnerability in OpenSSH
  - From: bruce edge <edgebruce@yahoo.com>
- Re: not in sid yet? - CERT Advisory CA-2003-24 Buffer Management Vulnerability in OpenSSH
  - From: Greg Folkert <greg@gregfolkert.net>

Prev by Date: Re: Re: gnome installation help
Next by Date: i keep getting e-mails from Mailer Daemon
Previous by thread: Re: not in sid yet? - CERT Advisory CA-2003-24 Buffer Management Vulnerability in OpenSSH
Next by thread: Re: not in sid yet? - CERT Advisory CA-2003-24 Buffer Management Vulnerability in OpenSSH
Index(es):
- Date
- Thread