On Mon, Jul 02, 2001 at 11:41:30AM -0400, Faheem Mitha wrote: > > Dear Debian People, > > I got the following security audit of a machine I recently installed > Debian 2.2r3 on. I have run apt-get update and apt-get upgrade on it. The > most serious problem appears to be with ssh. What should I do about this, > if anything? > > Should I upgrade to a more recent version of ssh from testing? The current > version of Openssh1.is at 1.2.3-9.3 and the most recent version is 2.9. In > any case, I thought security vulnerabilities were supposed to be fixed in > stable.
If you look at the changelog for ssh (which will be installed as /usr/share/doc/ssh/changelog.Debian.gz) youll see that the version you are currently using contains the necessary security patch (backported from the 1.2.32 version as listed in this "report"). Debian has a (very good) habit of back-porting any necessary security fixes to the currently used version rather than upgrading the package to the latest upstream version. Why? Because this gives greater confidence that the security issue will be resolved without introducing any other bugs. As for the other issues you can modify /etc/inetd.conf to remove most of these if you care. Whether or not this is worth doing depends upon whether these services are of any use to you (unlikely) and just how paranoid you require to be with the machine in question. Hope this answers your question, Derek
