On 08/19/2008 01:28 PM, Rod James Bio wrote:
It seems that the difference in package really did matter.
apt-cache policy libssl0.9.8
libssl0.9.8:
Installed: 0.9.8c-4
Candidate: 0.9.8c-4etch3
Version table:
0.9.8c-4etch3 0
500 http://debian.savoirfairelinux.net stable/main Packages
500 http://security.debian.org stable/updates/main Packages
*** 0.9.8c-4 0
100 /var/lib/dpkg/status
Does anyone knows how to explain this. I'm pretty new to debian and
particulary linux. Thanks!
To make a long story short: there's been a security issue of ssh on
debian [1]. One of your machines appears to use the vulnerable version,
the other one the updated one. For security reasons the updated version
won't connect to or accept connections from insecure machines.
Just update the vulnerable machine, follow the steps in [1] and you
should be fine.
Note that while debian is certainly more secure than many other OS,
there are occasional security updates. In order to have a secure system,
you should upgrade regularly (and check for upgrades). It also helps to
subscribe to debian-security-announce.
HTH, cheers,
Johannes
[1] http://www.debian.org/security/2008/dsa-1576