On Tue, Sep 16, 2003 at 08:38:39PM +0200, Johan C wrote: > I use ssh2 (2.0.13-7) on my webserver. As far as I can see this packet has > not been updated since Sat, 15 Dec 2001 12:43:25 +0000. My question is if > this packet is still considered secure and reliable to use after all > OpenSSH-bugs, since it's not updated for almost 2 years, or is that because > it's considered outdated?
The ssh2 package was the non-free ssh.com version of SSH, not OpenSSH. We removed it from Debian testing and unstable some time ago, and the last version uploaded to Debian was a long way behind ssh.com's version even then. I would be astonished if it didn't have a number of security holes. Notwithstanding today's OpenSSH vulnerability, I still very strongly recommend that you stop using ssh2 and switch to ssh. See also http://lists.debian.org/debian-qa-0209/msg00038.html. (QA group: should we ask for ssh2 to be removed from stable as well? I don't think the project can reasonably support it at this point.) Cheers, -- Colin Watson [EMAIL PROTECTED]