Re: [d-security] Re: DSA-134-1
Previously Christian Hammers wrote: Don't be too hard to him, if he'd pointed out that only default BSD is vulnerable it would not have been too hard to find the exploit before everybody had updated. He could have mentioned ssh protocol 1 wasn't vulnerable.. Wichert. -- _ /[EMAIL PROTECTED] This space intentionally left occupied \ | [EMAIL PROTECTED]http://www.liacs.nl/~wichert/ | | 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0 2805 3CB8 9250 2FA3 BC2D | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [d-security] Re: DSA-134-1
Wichert Akkerman [EMAIL PROTECTED] writes: Previously Christian Hammers wrote: Don't be too hard to him, if he'd pointed out that only default BSD is vulnerable it would not have been too hard to find the exploit before everybody had updated. He could have mentioned ssh protocol 1 wasn't vulnerable.. At the very least. I'm trying not to think how many Debian policies have been bent because of oh no! it's ssh!-factor - porting a protocol-2-enabled *new feature* down to Stable with the resultant paragraphs on `create a proto-2 keypair' and `these are untested' in the DSA causes inconvenience to folks running Stable+Secure boxes, in addition to those of us using Testing but keeping an eye on DSAs. And we're all going to have to upgrade again when 3.4 comes out properly as it is... Could I suggest that `until we're told what it is, there is no problem' be considered as an approach? ;/ ~Tim -- http://spodzone.org.uk/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [d-security] Re: DSA-134-1
On Thu, Jun 27, 2002 at 09:12:41AM +0100, Tim Haynes wrote: I'm trying not to think how many Debian policies have been bent because of oh no! it's ssh!-factor - porting a protocol-2-enabled *new feature* down to Stable with the resultant paragraphs on `create a proto-2 keypair' and `these are untested' in the DSA causes inconvenience to folks running Stable+Secure boxes, in addition to those of us using Testing but keeping an eye on DSAs. And we're all going to have to upgrade again when 3.4 comes out properly as it is... Might I suggest you consider dpkg --force-downgrade smile If not you will be running around next week when our good friend Theo finds a vulnerability in 3.4...just a thought Phil pgpO3KyAGtmJz.pgp Description: PGP signature
Re: [d-security] Re: DSA-134-1
On Wed, Jun 26, 2002 at 07:23:49PM +0200, Florian Weimer wrote: Well, it appears if OpenSSH 1.2.3 was *not* vulnerable, so the whole exercise was rather pointless. But drill inspector Theo (update and don't ask questions, soldier!), showed at least how good our new security upload architecture and how fast the security team is *g* Thanks, Theo. Don't be too hard to him, if he'd pointed out that only default BSD is vulnerable it would not have been too hard to find the exploit before everybody had updated. bye, -christian- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
