On Sat, 23 Feb 2002, Paul Hampson wrote:
> On Fri, Feb 22, 2002 at 02:20:00PM -0000, Liam Ward wrote: > > On 22 Feb 2002 at 9:11, Walter Tautz wrote: > > > http://www.cert.org/incident_notes/IN-2001-12.html > > > http://www.cert.org/advisories/CA-2001-35.html > > > > which apparently refers to ssh1 crc-32 compensation attack detector > > > and some other problems? > > > > Judging from the page there openssh is fixed only in version 2.3.0 > > > and later? Or has the one in potato been patched so that none of > > > these vulnerabilities. > > > The new version of Nessus (in testing) is complaining about this too. > > > I think, from looking at the bug reports etc., that in potato the > > offending versions of ssh and openssh have been patched so that, > > although your version number indicates that you have a problem, the > > truth is that you're safe. All of this is, of course, dependent on > > you being up to date with security.debian.org updates. > > > Can someone confirm this please... > > Yup, ssh in potato has been patched against the known vulnerabilities > in that version of OpenSSH. > > The version of ssh in sid (and presumably woody) reports > its Debian package version as well, so that tools such as Nessus > can tell it from the vanilla OpenSSH. > > If you're curious, this extension was thoroughly debated in > debian-devel a fortnight ago or so. :-) > > -- When you refer to `extension' what do you mean. Also where would I look for bug reports for this kind of info? bugs.debian.org? -walter ps. thanks for confirming the security but I wouldn't mind confirming it for myself.
