Re: not in sid yet? - CERT Advisory CA-2003-24 Buffer Management Vulnerability in OpenSSH
From: Greg Folkert (greg_at_gregfolkert.net)
Date: 11/14/03
- Previous message: Benjamin Rutt: "want to undo apt-pinning"
- In reply to: Chema: "Re: not in sid yet? - CERT Advisory CA-2003-24 Buffer Management Vulnerability in OpenSSH"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
To: D-U List <debian-user@lists.debian.org> Date: Fri, 14 Nov 2003 10:45:56 -0500
On Fri, 2003-11-14 at 01:54, Chema wrote:
> On Thu, 13 Nov 2003 16:40:08 -0500
> Greg Folkert <greg@gregfolkert.net> wrote:
> GF> What do you mean, it has been fixed in the current version of ssh
> GF> (3.6.1p2-9) The days they were announced there were fixes
> available
> GF> (4 hours if I remember properly) (2 version increments in short
> GF> order)
> So you don't need openssh 3.7.1 to be safe (from this, at least).
Correct, the whole idea behind "Stable" or Woody... is the Packaging and
versions stay compatible and consistent... therefore "STABLE" few
changes as possible, Maintenance Mode (Bug and Security Fixes, NO new
features).
> Now, I'm new to Debian, I'm "unstabling" my system (so far, not good
> ;-), and would like some clarification, so please tell me if true, nil
> or void:
"Testing" or Sarge as it is called right now, is the Next Version of
Stable to be released. Reason it is called testing, is just that people
are testing it to make sure it is good enough to become "Frozen" which
in and of the word mean, Serious Flaw, Bugs and Fixes are the only
changes that can be made... some exceptions if the features are deemed
very needed can be made.. but over it is a setting of versions and
features into Wet Clay... allowing for changes still but only fixing
things version NEW designs or such.
"Unstable" or Sid (as it is always called) is not "Unstable as a Linux
Distribution" I personally have a Sid machine that has an uptime of 4
months right now... it is uptodate (with a 2.4.20 Kernel) and works
flawlessly... I update it every day. The "Unstable" terms the package
listing that is available, on any given day there could be hundreds of
updates to Sid... take a look at http://incoming.debian.org. Those are
the changes submitted in the last few day/(or weeks sometimes). I had a
Sid machine I updated yesterday, hadn't touched it for 6+ weeks. 879
packages update, 82 newly installed, 24 removed (due to repackaging) and
4 held. THAT is what "Unstable" is all about.
> 1. There are no "formal" security fixes for testing and unstable.
Correct. Nothing formal about them... although testing was supposed to
have them. It has just not really been needed. If you really are worried
about security on Sid or Sarge... you know how and where to get your
"fix".
> 2. So the usual securing method is to wait for a patched or new
> version to get to your apt mirrors.
Debian Archive updates are a continuous thing, the Master shoves stuff
out to the Push Mirrors(which are [ ht |f ]tp.XX.debian.org) then the
leaf mirrors usually check often, then pull the stuff down to
themselves. The process of acceptance from incoming on these things is
usually very short for Sid. It may take a week or more to get promoted
to "Testing"... once again.. if you really are worried, you really
shouldn't be running Unstable if you don't know where to get the fixes.
> 3. Even if you apt-get testing/unstable fixes from debian.org, fixes
> for stable will be well before in security.debian.org.
Indeed, Stable *IS* the priority. If it isn't fixed within
hours(typically) or even sometime minutes... something is gravely wrong
with the security fix and takes a bit more work to get it right.
> 4. With how much difference? Hours or days?
Typically, for a simple fix... could be as few as the minutes it takes
for the maintainer to compiled and upload. On the other hand, if Stable
is a long fix... could be that Unstable could be as long. But it might
be fixed as soon as Stable due to the backport causing trouble.
Typically though, you are usually looking at minutes to a couple of
hours.
> 5. Where are equivalents of debian-security-announce for
> testing/unstable?
There really is nothing for Testing or Unstable. Just reference the
Debian Advisory. And subscribe to Debian-Devel... Comments from
Developers usually are right on the money... and can help out with the
wondering.
Overall, if security is you number one "paranoid" issue (it is for me)
then you either stick with Stable or Discover where it is that you need
to get your fixes ASAP.
-- greg, greg@gregfolkert.net REMEMBER ED CURRY! http://www.iwethey.org/ed_curry Your beautiful bulgarian bricks stack like the thousand eyes of Estonian potatos, peering amid fuzzy dreams of corrugated cardboard.
-- To UNSUBSCRIBE, email to debian-user-request@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
- application/pgp-signature attachment: This is a digitally signed message part
- Previous message: Benjamin Rutt: "want to undo apt-pinning"
- In reply to: Chema: "Re: not in sid yet? - CERT Advisory CA-2003-24 Buffer Management Vulnerability in OpenSSH"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
