On Thu, 13 Nov 2003 16:40:08 -0500 Greg Folkert <[EMAIL PROTECTED]> wrote:
GF> On Wed, 2003-11-12 at 19:40, bruce edge wrote: GF> > Looks like this is only available in woody: GF> > http://www.cert.org/advisories/CA-2003-24.html GF> > http://www.debian.org/security/2003/dsa-382 GF> > http://www.debian.org/security/2003/dsa-383 GF> > GF> > Is there no fix for sid yet? GF> GF> What do you mean, it has been fixed in the current version of ssh GF> (3.6.1p2-9) The days they were announced there were fixes available GF> (4 hours if I remember properly) (2 version increments in short GF> order) I think he means that there is no mention of Sid (nor Sarge) in any of the advisories, but only Woody. DSAs let up to the user (well, more like apt-get) to find patched versions for test and unstable. Why? >From http://www.debian.org/security/faq#testing : Q: How is security handled for testing and unstable? A: The short answer is: it's not. Testing and unstable are rapidly moving targets and the security team does not have the resources needed to properly support those. If you want to have a secure (and stable) server you are strongly encouraged to stay with stable. However, the security secretaries will try to fix problems in testing and unstable after they are fixed in the stable release. Also there: Q: The version number for a package indicates that I am still running a vulnerable version! A: Instead of upgrading to a new release we backport security fixes to the version that was shipped in the stable release. The reason we do this is to make sure that a release changes as little as possible so things will not change or break unexpectedly as a result of a security fix. You can check if you are running a secure version of a package by looking at the package changelog, or comparing its exact version number with the version indicated in the Debian Security Advisory. So you don't need openssh 3.7.1 to be safe (from this, at least). Now, I'm new to Debian, I'm "unstabling" my system (so far, not good ;-), and would like some clarification, so please tell me if true, nil or void: 1. There are no "formal" security fixes for testing and unstable. 2. So the usual securing method is to wait for a patched or new version to get to your apt mirrors. 3. Even if you apt-get testing/unstable fixes from debian.org, fixes for stable will be well before in security.debian.org. 4. With how much difference? Hours or days? 5. Where are equivalents of debian-security-announce for testing/unstable? Thanks! -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
