On Mon, 2005-09-19 at 12:28 +1200, Volker Kuhlmann wrote: > > Well, you know what they say about assumptions, don't you Volker? ;-) > > Yes :) > > > So that means he was out of date - current-release version for > > openssh is 4.2p1.
Thats right, and the current stable version in portage is 3.9p1, which has a number of patches applied. I have no doubt that if there are any gaping security holes in 3.9p1, with available patches, gentoo will have applied them. And I do keep all my machines up to date. I am not sure why the later versions are masked, probably still being tested. They are available if you want them though (including 4.2p1) By way of comparison Fedora 4 has 4.0p1 (http://public.planetmirror.com/pub/fedora/redhat/4/i386/os/Fedora/RPMS/) But 4.2p1 in updates: http://public.planetmirror.com/pub/fedora/redhat/updates/4/i386/ SuSE 9.3 has 3.9p1 ftp://ftp.suse.com/pub/suse/i386/9.3/suse/i586/ Can't see anything in updates, but I might be looking in the wrong place. > > This doesn't mean all that much. Some distros backport security fixes > for good reason, though gentoo isn't so likely to be one of them. Not sure what you mean by that. Anyway 3.9p1 has a number of patches applied. Dunno myself what they all do, as I am not a programmer. However it does make me wonder how the whole thing happenned. Box rebuilt, new hard drive - have the old one to diagnose at my leisure - whether I will bother is a moot point. > If > there had been a known security problem, every vendor would have > released a new openssh (it is a major core component), but this didn't > happen. So either it's in the pipeline, or the newer version is not > relevant to security. Or there is a problem which is so far undisclosed, > in which case most everyone has a serious problem. > > Of course if there were security updates and Nick didn't install them, > then it's a good example of why it's a bad idea to not keep up with the > updates for internet-exposed services. updates are easy to apply on gentoo, simply emerge sync && emerge --update --deep world (although you would be wise to check what the second cammand is actually about to do before executing it, but thats no problem, the sequence becomes: emerge sync && emerge --update --deep --pretend world (review output) emerge --update --deep world ) > > Volker >
