In message <20011204205730.A481@antioche.eu.org>, Manuel Bouyer writes:
>On Tue, Dec 04, 2001 at 11:05:14AM -0800, Paul Hoffman wrote:
>> I don't think the new version is in the 1.5.2 sources have the newest 
>> version, which came out in the last few days.
>
>No, if it's a security issue which has not yet been published, then 1.5.2
>doesn't have the fix.
>BTW, it doens't need to be the last version to have the bugs fixed:
>the ssh1 package is still 1.2.27 but isn't vulnerable to the crc32
>exploit since february :)

THere's a new bug out there...

		--Steve Bellovin, http://www.research.att.com/~smb
		Full text of "Firewalls" book now at http://www.wilyhacker.com