Osamu Aoki wrote: > If anyone have suggestion to improve debian-reference to prevent > people to take such strategy, let me know. Also, concrete case > example of why such method is less safer than 'apt-get upgrade' or > 'aptitude safe-upgrade', let us know.
I think this case is one example. By selectively upgrading only the ssh program binary and not the dependent libraries the openssl libssl library was allowed to become stale. It was almost certainly behind on security upgrades as I remember there have been DSAs filed against it relatively recently. It was almost certainly vulnerable to DSA-2392-1, DSA-2454-2, or DSA-2475-1 for example. Bob
signature.asc
Description: Digital signature