On Sun, Jun 1, 2008 at 10:14 PM, Tzafrir Cohen <[EMAIL PROTECTED]> wrote:
> On Sun, Jun 01, 2008 at 09:49:34PM +1000, Amos Shapira wrote:
>> On Sun, Jun 1, 2008 at 3:56 PM, Ira Abramov
>
>> > make sure you did dist-upgrade and not just upgrade. I think without it,
>>
>> Why "dist-upgrade"? It's a security fix for the same distro (Debian Etch).
>
> The "dist-upgrade" is due to the new dependency on "openssh-blacklist".
Huh?
$ dpkg -l openssh-blacklist
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Installed/Config-files/Unpacked/Failed-config/Half-installed
|/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err: uppercase=bad)
||/ Name Version Description
+++-==============-==============-============================================
ii openssh-blackl 0.1.1 list of blacklisted OpenSSH RSA and DSA keys
And that's from a simple "aptitude update".
I've never heard of dist-upgrade required for anything but
distribution version upgrade.
>
>>
>> > it didn't really update ssh for me, because the way the update was
>>
>> The package version is 1:4.3p2-9etch2. Is this the one it should be?
>
> The correct package version is libssl0.9.8-4etch3 . That's where the
> PRNG code resides.
$ dpkg -l libssl0.9.8
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Installed/Config-files/Unpacked/Failed-config/Half-installed
|/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err: uppercase=bad)
||/ Name Version Description
+++-==============-==============-============================================
ii libssl0.9.8 0.9.8e-5 SSL shared libraries
$ apt-cache policy libssl0.9.8
libssl0.9.8:
Installed: 0.9.8e-5
Candidate: 0.9.8e-5
Version table:
*** 0.9.8e-5 0
100 /var/lib/dpkg/status
0.9.8c-4etch3 0
990 http://mirror.optus.net.au etch/updates/main Packages
990 http://security.debian.org etch/updates/main Packages
0.9.8c-4etch1 0
990 http://ftp.au.debian.org etch/main Packages
Is 0.9.8e-5 considered later than 0.9.8-4etch3?
"aptitude" lists the currently installed version and the other two
(-4etch1 and -4ethc3) as available, but it doesn't mark this package
as "upgradeable".
>
> BTW: a look at /usr/share/doc/<PACKAGENAME>/changelog.Debian.gz can
> also help.
That (plus the name of the package I should actually look at -
libssl0.9.8) was a good clue.
/usr/share/doc/libssl0.9.8/changelog.Debian.gz I had had latest entry
(top of the file) dated 15 May 2007.
I forced aptitude to pick the version you gave, it reported that it'll
downgrade some LDAP packages, which I accepted. Now the
changelog.Debian.gz has latest entry dated May 8th, 2008.
After installation aptitude reported "security updates" to the
downgraded LDAP packages but otherwise was happy (doesn't mention the
package version I downgraded from).
I also commented out backports for good measure even though "apt-cache
policy" didn't mention it.
Now ssh-keygen generates good keys.
Thanks for the info.
I'd just like to clarify the dist-upgrade point you made above - I
didn't have to do it at all, are you sure this is correct?
--Amos
=================================================================
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]
