Micah Anderson <[EMAIL PROTECTED]> writes: > I'm just sending a ping to find out if there has been any movement on > this issue.
> Back in September you wrote: > "This is absolutely fantastic news. As soon as I get some more free > time, I'll try the new packages and look at what the transition will > entail. Getting back to one set of SSH packages will make life far > easier for everyone." Hi Micah, As Sam mentions, it's not at all clear to either of us that this is actually a bug. I don't really understand why this was considered a security issue; the only possible attack that I can see should be prevented by SSH's standard known hosts handling. Perhaps that wasn't considered a sufficient test? Anyway, I've been rather busy with various projects, so I haven't yet had a chance to write up a migration plan for eliminating the openssh-krb5 package. Given the controversial and low-impact nature of this vulnerability, though, I'd still rather proceed with that than upload a new release with this patch. I'll try to write up a migration proposal this week and start the discussion with the OpenSSH maintainers. Thank you for the reminder! -- Russ Allbery ([EMAIL PROTECTED]) <http://www.eyrie.org/~eagle/> -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
