In message <[EMAIL PROTECTED]>, Ville Uski writes: >* jigal <[EMAIL PROTECTED]> [011107 14:20]: >> But I found this in the archives of the security mailinglist: >> http://lists.debian.org/debian-security/2001/debian-security-200102/msg00138 >.html >> >> The previous mail in the thread references to: >> http://razor.bindview.com/publish/advisories/adv_ssh1crc.html >> >> Which is the vuln in question. > >Hm, why should I do that? Is my admin right when he thinks that my >current sshd is vulnerable? I have the latest stable precompiled >package, i.e. the default ssh installed.
Make sure that you have the security site in your /etc/apt/sources.list file. If you do, and apt-get update; apt-get upgrade says you're up to date, then you're fine. In general, the security team patches the current version to fix security bugs in stable rather than upgrade to a newer version. That could be confusing your sysadmin. The CRC bug was patched in debian as of ssh version 1.2.3-9.2. You can look at the changelog in /usr/share/doc/ssh/changelog.Debian.gz for specific information. -- Ted Cabeen http://www.pobox.com/~secabeen [EMAIL PROTECTED] Check Website or Keyserver for PGP/GPG Key BA0349D2 [EMAIL PROTECTED] "I have taken all knowledge to be my province." -F. Bacon [EMAIL PROTECTED] "Human kind cannot bear very much reality."-T.S.Eliot [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]