# Question about [ GLSA 201512-04 ] OpenSSH

## homoludens

So... https://security.gentoo.org/glsa/201512-04

 *Quote:*   

> Affected Packages
> 
> Package: net-misc/openssh
> 
> Vulnerable: < 7.1_p1-r2
> ...

 

and:

 *Quote:*   

> Resolution
> 
> All OpenSSH users should upgrade to the latest version:
> 
> Code:
> ...

 

How can downgrade help when affected versions are < 7.1_p1-r2?

And latest version in portage is  7.1_p1-r2 (https://packages.gentoo.org/packages/net-misc/openssh)?

Am I missing something?

----------

## NeddySeagoon

homoludens,

The advisory now says,

```
 # emerge --sync

 # emerge --ask --oneshot --verbose ">=net-misc/openssh-7.1_p1-r2"
```

Well caught.

----------

## depontius

So I see that I upgraded to the good version on Nov 5. 2015.  I got the impression that this was a brand new vulnerability, and the fix just came out.  The fix looks several months old.  Any idea what's up?

----------

## Hu

As I read the Portage git logs, =net-misc/openssh-7.1_p2 was only added 2016-01-14 20:54:48, so you cannot have upgraded to it in November.  The vulnerability is quite old.  It is present in OpenSSH 5.4 and later.

----------

## depontius

Oops, looked again, and it's _p1-r2, and I did upgrade to it in November, from /var/log/portage :

```
-rw-rw---- 1 portage portage      3198 Nov  5 12:26 net-misc:openssh-6.9_p1-r2:20151105-172625.log

-rw-rw---- 1 portage portage    215721 Nov  5 12:26 net-misc:openssh-7.1_p1-r2:20151105-172528.log
```

Wait a minute... From the advisory, as homoludens says:

```
Unaffected versions    >= 7.1_p1-r2
```

And that's what I've got installed.  Looks like a typo in the security advisory, to me.

----------

