Hi, [UPDATE] Stephan Beck: > Hi Mark, > > Mark Fletcher: >> On Mon, Sep 26, 2016 at 02:52:00PM +0000, Stephan Beck wrote: >>> Hi Lisi, >> >>> If you look at the second line of the terminal output I reproduced, you >>> find that the openssl component in use within the package openssh Debian >>> Jessie is one step behind. "Standalone" OpenSSL package is now at >>> version 1.0.1t-1+deb8u5 since September 23. >>> >>>> me@mymachine:~/.ssh$ ssh -vv me@theremoteserver >>>> OpenSSH_6.7p1 Debian-5+deb8u3, OpenSSL 1.0.1t 3 May 2016 >>> >> Yeah there was a Debian security advisory last week with a security >> patch for OpenSSL. I thought the fix was already in place, certainly I >> got an update for OpenSSH when I updated on Sunday. > > I didn't receive any update of the OpenSSH package in the past days. > Such update would usually be communicated issuing a DSA urging people to > upgrade, wouldn't it? And I'm subscribed to the DSA. > Just checked and as latest I upgraded the libarchive package.
not even activating deb-src (security) and deb-src (ftp.xx.debian.org) Sources apt-get update apt-get upgrade results in any OpenSSH package being updated. In packages.debian.org I see a sources patch that can be manually downloaded and applied. But nothing you "get", as you say. So, am I right? It is not included in the .deb sources that are accessible (provided there is the entry in apt-sources.list) using the above apt commands. Cheers Stephan