Faheem Mitha <[EMAIL PROTECTED]> writes: > I got the following security audit of a machine I recently installed > Debian 2.2r3 on. I have run apt-get update and apt-get upgrade on it. The > most serious problem appears to be with ssh. What should I do about this, > if anything? > > Should I upgrade to a more recent version of ssh from testing? The current > version of Openssh1.is at 1.2.3-9.3 and the most recent version is 2.9. In > any case, I thought security vulnerabilities were supposed to be fixed in > stable.
Security problems in stable packages are often fixed by back-porting changes from later versions. Hence just looking at the version number of a package is in many cases an inadequate way of determining whether it (still) contains a certain security hole. It is best to look at the change logs. AFAIK, the problem you refer to was addressed by DSA-027 <URL:http://www.debian.org/security/2001/dsa-027>. If you have security.debian.org in your sources.list the fix should have been installed when you apt-got. -- Leonard Stiles <[EMAIL PROTECTED]>
