Re: rssh update

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

richard lucassen <mai...@lu...> writes:

> Ok, thnx both of you. So if I understand it correctly the Debian version
> has been vulnerable for 7 months. I switched from the Sarge version to
> the vanilla version when I read about the vulnerability last January and
> I was already wondering why there wasn't a Debian security update.  Next
> time I'll notify the Debian maintainer.

Yes, unfortunately, 2.2.3-1.sarge.1 was broken, including security flaws,
and that bug wasn't fixed until 2.2.3-1.sarge.2 was released just now.
There was a miscommunication with the Debian security folks on my part
that didn't help (they hadn't realized that the bug was specifically
applicable to 2.2.3-1.sarge.1, not just 2.2.3-1).

-- 
Russ Allbery (rr...@st...)             <http://www.eyrie.org/~eagle/>