bruce edge

Looks like this is only available in woody:
http://www.cert.org/advisories/CA-2003-24.html
http://www.debian.org/security/2003/dsa-382
http://www.debian.org/security/2003/dsa-383

Is there no fix for sid yet?

-Bruce


--
To UNSUBSCRIBE, email to debian-user-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

greg folkert

What do you mean, it has been fixed in the current version of ssh
(3.6.1p2-9) The days they were announced there were fixes available (4
hours if I remember properly) (2 version increments in short order)

--
greg, greg@gregfolkert.net
REMEMBER ED CURRY! http://www.iwethey.org/ed_curry

Where it not for the dizzy whiptail ambivalence of your crumbling
fleece, I could never contemplate the ways of so many merchant bankers
in heat.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQA/s/o37WZpcbUkaHwRAqH+AJ425ctE/ugsR2JLwcXeOaV17jo91QCghCk9
TokVI5gx0/5jboatoSxaV50=
=tFO7
-----END PGP SIGNATURE-----

chema

On Thu, 13 Nov 2003 16:40:08 -0500


GF> On Wed, 2003-11-12 at 19:40, bruce edge wrote:
GF> > Looks like this is only available in woody:
GF> > http://www.cert.org/advisories/CA-2003-24.html
GF> > http://www.debian.org/security/2003/dsa-382
GF> > http://www.debian.org/security/2003/dsa-383
GF> >
GF> > Is there no fix for sid yet?
GF>
GF> What do you mean, it has been fixed in the current version of ssh
GF> (3.6.1p2-9) The days they were announced there were fixes available
GF> (4 hours if I remember properly) (2 version increments in short
GF> order)

I think he means that there is no mention of Sid (nor Sarge) in any of the advisories, but only Woody. DSAs let up to the user (well, more like apt-get) to find patched versions for test and unstable. Why?


Q: How is security handled for testing and unstable?

A: The short answer is: it's not. Testing and unstable are rapidly moving targets and the security team does not have the resources needed to properly support those. If you want to have a secure (and stable) server you are strongly encouraged to stay with stable. However, the security secretaries will try to fix problems in testing and unstable after they are fixed in the stable release.

Also there:

Q: The version number for a package indicates that I am still running a vulnerable version!

A: Instead of upgrading to a new release we backport security fixes to the version that was shipped in the stable release. The reason we do this is to make sure that a release changes as little as possible so things will not change or break unexpectedly as a result of a security fix. You can check if you are running a secure version of a package by looking at the package changelog, or comparing its exact version number with the version indicated in the Debian Security Advisory.

So you don't need openssh 3.7.1 to be safe (from this, at least).

Now, I'm new to Debian, I'm "unstabling" my system (so far, not good ;-), and would like some clarification, so please tell me if true, nil or void:

1. There are no "formal" security fixes for testing and unstable.
2. So the usual securing method is to wait for a patched or new version to get to your apt mirrors.
3. Even if you apt-get testing/unstable fixes from debian.org, fixes for stable will be well before in security.debian.org.
4. With how much difference? Hours or days?
5. Where are equivalents of debian-security-announce for testing/unstable?

Thanks!


--
To UNSUBSCRIBE, email to debian-user-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

greg folkert

Correct, the whole idea behind "Stable" or Woody... is the Packaging and
versions stay compatible and consistent... therefore "STABLE" few
changes as possible, Maintenance Mode (Bug and Security Fixes, NO new features).


"Testing" or Sarge as it is called right now, is the Next Version of
Stable to be released. Reason it is called testing, is just that people
are testing it to make sure it is good enough to become "Frozen" which
in and of the word mean, Serious Flaw, Bugs and Fixes are the only
changes that can be made... some exceptions if the features are deemed
very needed can be made.. but over it is a setting of versions and
features into Wet Clay... allowing for changes still but only fixing
things version NEW designs or such.

"Unstable" or Sid (as it is always called) is not "Unstable as a Linux
Distribution" I personally have a Sid machine that has an uptime of 4
months right now... it is uptodate (with a 2.4.20 Kernel) and works
flawlessly... I update it every day. The "Unstable" terms the package
listing that is available, on any given day there could be hundreds of
updates to Sid... take a look at http://incoming.debian.org. Those are
the changes submitted in the last few day/(or weeks sometimes). I had a
Sid machine I updated yesterday, hadn't touched it for 6+ weeks. 879
packages update, 82 newly installed, 24 removed (due to repackaging) and
4 held. THAT is what "Unstable" is all about.

Correct. Nothing formal about them... although testing was supposed to
have them. It has just not really been needed. If you really are worried
about security on Sid or Sarge... you know how and where to get your "fix".


Debian Archive updates are a continuous thing, the Master shoves stuff
out to the Push Mirrors(which are [ ht |f ]tp.XX.debian.org) then the
leaf mirrors usually check often, then pull the stuff down to
themselves. The process of acceptance from incoming on these things is
usually very short for Sid. It may take a week or more to get promoted
to "Testing"... once again.. if you really are worried, you really
shouldn't be running Unstable if you don't know where to get the fixes.


Indeed, Stable *IS* the priority. If it isn't fixed within
hours(typically) or even sometime minutes... something is gravely wrong
with the security fix and takes a bit more work to get it right.

Typically, for a simple fix... could be as few as the minutes it takes
for the maintainer to compiled and upload. On the other hand, if Stable
is a long fix... could be that Unstable could be as long. But it might
be fixed as soon as Stable due to the backport causing trouble.

Typically though, you are usually looking at minutes to a couple of hours.


There really is nothing for Testing or Unstable. Just reference the
Debian Advisory. And subscribe to Debian-Devel... Comments from
Developers usually are right on the money... and can help out with the
wondering.

Overall, if security is you number one "paranoid" issue (it is for me)
then you either stick with Stable or Discover where it is that you need
to get your fixes ASAP.

--
greg, greg@gregfolkert.net
REMEMBER ED CURRY! http://www.iwethey.org/ed_curry

Your beautiful bulgarian bricks stack like the thousand eyes of Estonian
potatos, peering amid fuzzy dreams of corrugated cardboard.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQA/tPiz7WZpcbUkaHwRAnWqAJ9NdtFJZVGEK4ehtrLinehKcTk0Wg CgjTwo
Y3GyDDCT9LGEU+Rzoar2/QY=
=FwN8
-----END PGP SIGNATURE-----