Damien Miller wrote:
>We apologise for any inconvenience resulting from this release
>being made so shortly after 4.9. Unfortunately we only learned of
>the below security issue from the public CVE report. The Debian
>OpenSSH maintainers responsible for handling the initial report of
>this bug failed to report it via either the private OpenSSH security
>contact list (openssh@openssh.com) or the portable OpenSSH Bugzilla
>(http://bugzilla.mindrot.org/).
>
>We ask anyone wishing to report security bugs in OpenSSH to please use
>the openssh@openssh.com contact and to practice responsible disclosure.


My apologies for this; after having been in a very busy period at work
for some time, I was dealing with the bug in a rush immediately before
going on holiday for a week, and a comment on the bug by that point
indicated that it had already been forwarded to Theo DeRaadt. Since that
sounded vaguely reasonable and I was short on time, I didn't think to
check further.

(The bug log indicates that a member of Red Hat's Security Response Team
was also aware of the same problem.)

--
Colin Watson [cjwatson@debian.org]
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/li...enssh-unix-dev