openSSH 4.3 p2 rpm help please!

Damien Miller djm at mindrot.org
Thu Apr 13 09:34:03 EST 2006


On Wed, 12 Apr 2006, Mike Zupan wrote:

> yes that version of 3.9 is fully patched against all bugs and security
> issues.. the only thing they don't back port is functionality.. so if

I bet that they do not back-port our proactive changes such as signed
vs. unsigned integer cleanups which may fix vulnerabilities that we
don't know about. Furthermore, some of the new features in more recent
version are security-related, such as known_hosts hashing, better
password expiry handling, improved logging, delayed compression and
better ARC4 cipher modes.

So it is a legitimate choice for users to make to use an updated version
over a vendor version. As general advice, try to base what you install
off your vendor's source packages. You may want to look at applying the
vendor-specific patches if they exist, but we don't audit those and so
cannot vouch for them.

-d




More information about the openssh-unix-dev mailing list