On Tue, Oct 30, 2018 at 12:35:05AM -0400, Chris Lamb wrote:
> Hi Ivo,
>
> > From the upstream changelog for 2.7.1+dfsg-1 (already in unstable):
> [..]
> > - user module - do not pass ssh_key_passphrase on cmdline
> > (CVE-2018-16837)
>
> Thanks for providing this and no problem that this wasn't in the
> changelog.
>
> Security team: This still affects stretch and jessie as I unless
> I'm missing something - would you like me to prepare an upload for
> stable? I'm happy to take the LTS side of things.
We can fix that one in a DSA, but should also fix CVE-2018-10875
and CVE-2018-10874, then.
Cheers,
Moritz
