On Wed, Jun 26, 2002 at 12:56:53PM +0200, Oliver Bleutgen wrote:
What is SuSE's plan? Esp. for the 7.0 and 7.1 SuSE releases.
1. build a new openssh 3.3 + real fix? 2. build a new openssh 2.9.x (or whatever versions was installed before)? 3. both of the above?
4. build an openssh 3.4 after we've done some more testing. I cannot give you a definitive answer. If I knew what the vulnerability was, I would have a clearer picture of what we need to do, and how long it takes. The plan right now is to look at 3.4 when it comes out, test it some more, then release another update.
The reason I ask is because 3.3 seems to be a little bit ... uhm ... problematic - even if I only read the original release notes, ignoring the messages on this list so far - and I'd like to be prepared.
Most of the issues noted so far are being addressed either by the OpenSSH team or by SuSE internally. Much of what's been hurting SuSE users so far was caused by our creating a new user account in the post-install script, and the MD5 issue. The major issue I can still see is that keyboard-interactive mode is not working yet, which means that skey based authentication and password changing does not work. We hope we'll have a fix for this by the time 3.4 hits the servers, too. Olaf -- Olaf Kirch | Anyone who has had to work with X.509 has probably okir@suse.de | experienced what can best be described as ---------------+ ISO water torture. -- Peter Gutmann