Comment 1 for bug 651720

As per our policy, and in line with the security policy of most Linux distributions, we do not update versions of software in stable releases to fix security issues. We backport security fixes to the version available when the stable release came out.

In the case of "OpenSSH X11 Hijacking Attack Vulnerability", AKA CVE-2008-1483, the OpenSSH version in Hardy already contains a patch for this issue, as seen in the changelog of version 4.7p1-5.

For "OpenSSH Plaintext Recovery Attack Against SSH Vulnerability", AKA CVE-2008-5161, we have classified this as having a low security impact since the upstream openssh project has deemed this issue "infeasible in most circumstances". If this issue is a concern for you, you may configure your ssh server to prefer the AES CTR mode ciphers, as they do not contain this flaw. In order to do so, edit your server's sshd_config file to contain the following line:

Ciphers aes128-ctr,aes256-ctr,arcfour256,arcfour,aes128-cbc,aes256-cbc

Due to the first issue being fixed already, and the second attack being "infeasible", we are of the opinion that the current OpenSSH packages in hardy correctly adhere to PCI-DSS compliance.