On 27/07/2017 15:53, Thorsten Glaser wrote:
On Thu, 27 Jul 2017, Adam Weremczuk wrote:
These are the vulnerability I'm referring to and they have been addressed in
OpenSSH versions 6.6 and 7.2p2:
That’s *upstream* version numbers. As Roberto said, the LTS team
will take those changes (and *only* those security-related fixes),
backport them to the old wheezy version and upload that regularily
to the wheezy-security suite.
So, just use these packages. They bear an old *upstream* version
number and lack the new *upstream* features, but they have all
the security fixes backported.
bye,
//mirabilos
Hi Thorsten,
Are you saying that if I:
- add
deb http://ftp.debian.org/debian wheezy-backports main
to /etc/apt/sources.list
- apt-get update
- apt-get upgrade openssh-server
I will have all security patches (ever implemented for openssh-server
for any Debian distro) despite the version still reporting as
1:6.0p1-4+deb7u6 ?
How to I hard prove it and convince the external company flagging it on
our server?
Does their flagging mean they don't know how Debian security patching works?
Thanks
Adam
