On Tue, Jul 22, 2008 at 11:49:42PM +0300, Teodor wrote: > On Tue, Jul 22, 2008 at 5:22 AM, Kris Shannon <[EMAIL PROTECTED]> wrote: > > OpenSSH has now released another new version - 5.1 > > > > http://www.openssh.com/txt/release-5.1 > > Please note the security advisory (might be applicable): > ---- > Portable OpenSSH 5.1 avoids this problem for all operating systems > by not setting SO_REUSEADDR when X11UseLocalhost is set to no. > ----
Read the release announcement in full to discover that it is not applicable: * sshd(8): Avoid X11 man-in-the-middle attack on HP/UX (and possibly other platforms) when X11UseLocalhost=no [...] Modern BSD operating systems, Linux, OS X and Solaris implement the above checks and are not vulnerable to this attack, nor are systems where the X11UseLocalhost has been left at the default value of "yes". > Colin, although you planned to package 5.0p1 please take a look at > 5.1p1. Considering a recent message from the release team, it is > enough to make it to unstable until the freeze and it will be included > in lenny. Indeed; I already have 5.1p1 merged into my local tree and am in the middle of testing it. The reason I hadn't done it before now is that I was trying to ensure that we had a stable version of 4.7p1 as a fallback following all the upheaval with the OpenSSL random number generator vulnerability. Cheers, -- Colin Watson [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]