Is OpenSSH vulnerable to the ZLIB problem or isn't it?

[Theo de Raadt]

> On Wed, Apr 03, 2002 at 11:08:44AM -0600, Dave Dykstra wrote:
> > I'm disappointed that nobody has replied to my question.  OpenSSH
> > development team, isn't the potential for a remote root exploit something
> > that's important to you?  Many other tools that use zlib have issued a
> > public statement saying they are or they are not vulnerable.
> 
> do you have an exploit? how would it look like?  what would it do?
> sorry, i'm not writing exploits, so i have no idea how such an exploit
> should work. however, compress.c now has some code that should
> prevent a double free from zlib.

Please go read www.openbsd.org/security.html

We do not do exploitability checking.

Many groups on the net do, and I feel they waste their time greatly
doing so, instead of just fixing their code.

As a user, do what you should naturally do.  Assume so.  And upgrade.
I mean, what is the problem?  A bug has been fixed.  A new release is
out.  Upgrade.  We simply do not do software release management in the
way you want us to, and we never will.  Why hold us accountable to do
things in a stupid way which it is clear every single company on the
planet does not follow either?

Why should we be better, when we are unfinanced, volunteer based, and
such?

Know who publishes exploitability status reports?  People who need the
PR.