On Sun, Jun 01, 2008 at 09:00:11PM +1000, Amos Shapira wrote: > On Sun, Jun 1, 2008 at 8:01 PM, Shachar Shemesh <[EMAIL PROTECTED]> wrote: > > Actually, it's better to have the "security" repository after the isoc one. > > This way, if both have the same package, you will get it from the > > geographically closer one. > > > > But, yes, failing to have the security source in source.list will cause the > > problem described. > > Thanks everyone for your pointers to security.debian.org. I already > have it in my sources.list. > > The version I have installed on that system now is: 1:4.3p2-9etch2 > The version mentioned in the security advisory > (http://www.debian.org/security/2008/dsa-1576) is 1:4.3p2-9etch1 > The latest version available for the stable release is the one I have > installed: > http://packages.debian.org/etch/i386/openssh-client/download > (1:4.3p2-9etch2), I couldn't find the security advisory which talks > about it. > > I've reinstalled the package with "aptitude resintall openssh-client" > and compared the new and old files and they are identical. > I'm using i386 version. > > Just to make sure I also downloaded the .deb file directly from the > link above (from packages.debian.org and re-installed it and still get > exactly the same file to the original one. > > Any other ideas?
Mind you, the bug was not in openssh, but in openssl. You should (at least) update this one too. It affected many other packagess, including openssh, which was updated to check for bad keys etc., but the actual fix is in a newer version of openssl. -- Didi ================================================================= To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
