On Wed, Jan 31, 2024 at 08:19:41AM +0000, [email protected] wrote: > I'm a longterm debian user but seeing latest security fix is not > delivered - Should I start using `sid` for everything now??
https://security-tracker.debian.org/tracker/source-package/openssh shows only one open CVE of any importance, for which no fix exists anywhere to my knowledge (it's mainly a hardware issue, so OpenSSH can't really fix it although it's possible that some form of mitigation might be developed; but in any case that would have to be done upstream first). The rest are all either fixed in stable or unimportant for one reason or another, which you can usually find if you click through to the CVE ID in question. There are no differences in CVE coverage right now between stable and unstable as far as I know. Is there a particular CVE that you're concerned about? Note that third-party scanners often report false positives because they work purely in terms of upstream versions and don't understand that distributions often backport fixes. -- Colin Watson (he/him) [[email protected]]
