[WBEL-users] How do I know whether ssh is patched against the
latest exploits?
John Morris
jmorris@beau.org
Wed, 5 May 2004 15:10:19 -0500 (CDT)
On Wed, 5 May 2004, Matt Grab wrote:
> I have 3.6.1p2-18 installed from up2date (whitebox channel from nc mirror).
> up2date says all packages on my system are current - none to update.
> I heard that ssh lower than 3.7 is remotely exploitable. But I also heard
> that redhat doesn't change the version numbers.
Exactly. RH, like most distributions that aim for stability
(Debian-stable, OpenBSD, etc.) backport only the security fix instead of
reving the version and possibly introducing new/different features. In a
system that is supposed to just sit and run for years the last thing you
need is a new version introducing some slight difference that breaks a
production server and causes a panicked allnighter to figure out what
changed.
Examining the changelog for the package is usually sufficent to determine
which security issues are fixed. RH has taken to including the bug ID in
the log recently and I don't touch any of that when I rebuild them.
--
John M. http://www.beau.org/~jmorris This post is 100% M$ Free!
Geekcode 3.1:GCS C+++ UL++++$ P++ L+++ W++ w--- Y++ b++ 5+++ R tv- e* r