On Tue, Oct 30, 2018 at 12:35:05AM -0400, Chris Lamb wrote: > Hi Ivo, > > > From the upstream changelog for 2.7.1+dfsg-1 (already in unstable): > [..] > > - user module - do not pass ssh_key_passphrase on cmdline > > (CVE-2018-16837) > > Thanks for providing this and no problem that this wasn't in the > changelog. > > Security team: This still affects stretch and jessie as I unless > I'm missing something - would you like me to prepare an upload for > stable? I'm happy to take the LTS side of things.
We can fix that one in a DSA, but should also fix CVE-2018-10875 and CVE-2018-10874, then. Cheers, Moritz