[openssh-unix-announce] Announce: OpenSSH 5.0 released

Colin Watson cjwatson at debian.org
Fri Apr 4 21:04:05 EST 2008

Damien Miller wrote:
>We apologise for any inconvenience resulting from this release
>being made so shortly after 4.9. Unfortunately we only learned of
>the below security issue from the public CVE report. The Debian
>OpenSSH maintainers responsible for handling the initial report of
>this bug failed to report it via either the private OpenSSH security
>contact list (openssh at openssh.com) or the portable OpenSSH Bugzilla
>We ask anyone wishing to report security bugs in OpenSSH to please use
>the openssh at openssh.com contact and to practice responsible disclosure.

My apologies for this; after having been in a very busy period at work
for some time, I was dealing with the bug in a rush immediately before
going on holiday for a week, and a comment on the bug by that point
indicated that it had already been forwarded to Theo DeRaadt. Since that
sounded vaguely reasonable and I was short on time, I didn't think to
check further.

(The bug log indicates that a member of Red Hat's Security Response Team
was also aware of the same problem.)

Colin Watson                                       [cjwatson at debian.org]

More information about the openssh-unix-dev mailing list