Damien Miller wrote: >We apologise for any inconvenience resulting from this release >being made so shortly after 4.9. Unfortunately we only learned of >the below security issue from the public CVE report. The Debian >OpenSSH maintainers responsible for handling the initial report of >this bug failed to report it via either the private OpenSSH security >contact list ([EMAIL PROTECTED]) or the portable OpenSSH Bugzilla >(http://bugzilla.mindrot.org/). > >We ask anyone wishing to report security bugs in OpenSSH to please use >the [EMAIL PROTECTED] contact and to practice responsible disclosure.
My apologies for this; after having been in a very busy period at work for some time, I was dealing with the bug in a rush immediately before going on holiday for a week, and a comment on the bug by that point indicated that it had already been forwarded to Theo DeRaadt. Since that sounded vaguely reasonable and I was short on time, I didn't think to check further. (The bug log indicates that a member of Red Hat's Security Response Team was also aware of the same problem.) -- Colin Watson [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
