On Tue Sep 23, 2003 at 09:52:53AM -0600, Vincent Danen wrote: > [..] > > greatest out there, and YES, i know Mandrake has > > released an rpm patch for 3.6p1. But, with our > > internal scan, anything running a version identified > > as vulnerable, even if patched, is flagged. So i have > > always used locally compiled versions of ssh. Anyone > > else gone past this problem? > > > > Longing for a response/idea/suggestion/recommendation > > only on getting openssh-3.7p1 to work. > > Then you want 3.7.1p1. > > But... and this is just a friendly warning... 3.7.1p1 has been causing a > lot of problems for various people, according to discussion on the > openssh-dev mailing list. You might want to ignore your scanner in this > instance and use the patched packages... it'll be more reliable. > > The latest and greatest is not always the greatest.
Sorry, you want 3.7.1p2 (released today). They turned pam off by default and introduced two new vulnerabilities in 3.7.x that weren't in 3.6.x. How's that for wanting to stick with a patched version? (And people wanted 3.7 in cooker/updates... tsk tsk tsk) -- MandrakeSoft Security; http://www.mandrakesecure.net/ Online Security Resource Book; http://linsec.ca/ "lynx -source http://linsec.ca/vdanen.asc | gpg --import" {FE6F2AFD : 88D8 0D23 8D4B 3407 5BD7 66F9 2043 D0E5 FE6F 2AFD}
pgp00000.pgp
Description: PGP signature
