Re: [d-security] Re: ssh vulnerability in the wild

To: debian-security@lists.debian.org
Cc: Dossy <dossy@panoptic.com>
Subject: Re: [d-security] Re: ssh vulnerability in the wild
From: Rick Moen <rick@linuxmafia.com>
Date: Tue, 16 Sep 2003 13:44:00 -0700
Message-id: <[🔎] 20030916204400.GZ10351@linuxmafia.com>
In-reply-to: <[🔎] 20030916185149.GH14295@panoptic.com>
References: <[🔎] 20030916143038.GG27127@hoffentlich.net> <[🔎] Pine.LNX.4.40.0309161559330.3755-100000@jehova.dsm.dk> <[🔎] 20030916153106.GE29419@westend.com> <[🔎] 20030916171034.GG14295@panoptic.com> <[🔎] 20030916174701.GB3749@ns.snowman.net> <[🔎] 20030916185149.GH14295@panoptic.com>

Quoting Dossy (dossy@panoptic.com):

> Eek.  So, if we want to run secure systems, we either have to run
> unstable (and all the troubles that comes with) or stable? 

The Security Team FAQ addresses this:
http://www.debian.org/security/faq#testing

  Q: How is security handled for testing and unstable?

  A: The short answer is: it's not. Testing and unstable are rapidly
  moving targets and the security team does not have the resources needed
  to properly support those. If you want to have a secure (and stable)
  server you are strongly encouraged to stay with stable. However, the
  security secretaries will try to fix problems in testing and unstable
  after they are fixed in the stable release.

The FAQ is your friend.  ;->

> I find that "testing" is a good middle ground for a reasonably stable
> system but with reasonably up-to-date packages, so that's why I run
> it.

You can certainly do that.  But the burden is on you to read DSAs and
take manual action as needed.  E.g., if a DSA says some exposed piece of
software you elect to run has a vulnerability you care about, you might
find it in your interest to do one of the following:

1.  Downgrade to the stable branch's version.
2.  Install the binary version from the unstable branch[1].
3.  apt-get source the unstable version, then recompile and dpkg -i it.
4.  deb-src and hand-patch, as you say.
5.  Switch temporarily from the affected package to an equivalent that
    isn't affected.  (Remember, there's lsh, for example.)

(The above is for the benefit of list readership at large.  I'm
certainly not suggesting you personally aren't aware of those options.)


[1] Add
Package: *
Pin: release a=unstable
Pin-Priority: 50

to /etc/apt/preferences.  Have both testing and unstable lines in
/etc/apt/sources.list .  Then, after another apt-get update:
# apt-get -t unstable install <somepackage>
...will get <somepackage> and any needed dependencies from the unstable
branch.  (Note that you cannot assume unstable automatically fixes
security bugs.)

Alternatively, use "=" syntax to fetch a specified package version:
apt-get install somepackage=12.17.4-4

Tutorial:  http://jaqque.sbih.org/kplug/apt-pinning.html

-- 
Cheers,           "I don't like country music, but I don't mean to denigrate
Rick Moen         those who do.  And, for the people who like country music,
rick@linuxmafia.com         denigrate means 'put down'."      -- Bob Newhart

Reply to:

References:
- Re: ssh vulnerability in the wild
  - From: Alexander Neumann <alexander@bumpern.de>
- Re: ssh vulnerability in the wild
  - From: Thomas Horsten <thomas@horsten.com>
- Re: [d-security] Re: ssh vulnerability in the wild
  - From: Christian Hammers <ch@debian.org>
- Re: [d-security] Re: ssh vulnerability in the wild
  - From: Dossy <dossy@panoptic.com>
- Re: [d-security] Re: ssh vulnerability in the wild
  - From: Stephen Frost <sfrost@snowman.net>
- Re: [d-security] Re: ssh vulnerability in the wild
  - From: Dossy <dossy@panoptic.com>

Prev by Date: Re: [d-security] Re: ssh vulnerability in the wild
Next by Date: Re: [d-security] Re: ssh vulnerability in the wild
Previous by thread: Re: [d-security] Re: ssh vulnerability in the wild
Next by thread: Re: [d-security] Re: ssh vulnerability in the wild
Index(es):
- Date
- Thread