>> openssh shipped with 1.5 (/usr/sbin/sshd) has the fix to
>> http://razor.bindview.com/publish/advisories/adv_ssh1crc.html.
>> the version number seems to older than the advisory, but
>> the fix is there.
>Excellent. But our users don't know that, because we haven't made any
>announcement (unless I missed it).

        we are working on it. sorry for delays, please hold.

>If there are new features (or especially bug fixes) in pkgsrc openssh
>(2.3) that aren't in 1.5's openssh (2.2), then we should make sure
>that pkgsrc openssh can install on a 1.5 system.

        (i think i have wrote similar item couple of times)
        current situation is like this:

        current: 2.3.2 as of 2/14
        1.5: 2.2.0 with patch against razor advisory
        pkgsrc/security/openssh: portable openssh 2.3.0p1
        pkgsrc/security/ssh: ssh.com ssh 1.2.27 + patch against razor advisory

        i've requested a pullup from current to 1.5 branch.

>If there are no such new features, then pkgsrc openssh should refuse
>to install on a 1.5 system, and it should give a clear explanation of
>why, to avoid confusion.

        i'm not sure about this. pkgsrc/security/openssh uses portable openssh
        distribution. usr.bin/ssh uses non-portable (original from openbsd).
        i can think of people who wants to install pkgsrc version for some
        reason.

itojun

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]