On Wed, Jun 26, 2002 at 02:10:58PM -0500, Dave Sherohman wrote: > Would the security team please issue an official update to the > advisory indicating whether, now that further information on the > vulnerability has been released, existing (pre-3.3) debian ssh > packages are believed to be affected?
I think it's safe to say that there will be more information from the security team as more information becomes clear. While my understanding is that at least OpenSSH 3.0.2 in woody/sid was not affected by the specific vulnerability that was announced today, it's not yet obvious that only one vulnerability was involved, and, let's face it, Debian has not exactly had the benefit of lots of advance information up to now. In these circumstances, don't expect the security team to be quick about claiming potato isn't vulnerable. It might be worth considering that updating OpenSSH 1.2.3 was perhaps long overdue anyway: 1.2.3 is very old code and hasn't had a great deal of auditing recently. That's not to say that anyone is pleased about having to push out such a rushed update in a way that skates very close to the edges of how stable is intended to be managed. -- Colin Watson [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
