We are currently running woody on a production machine (yes, I am not that happy about that decision). Woody does not get potato's security updates, and does not get new unstable security fixes in a timely fashion. This leaves woody vulnerable to certain kinds of problems, particularly distressing right now is the ssh security issue that is out there, which woody does not have a fix for. Potato has a fix at http://www.debian.org/security/2001/dsa-027
So how do we fix this on a woody machine? There are a few things that can be done, none of them very great. There is the possibility of putting the potato package on our machine, but are there are dependancy issues or problems downgrading a package from woody to potato? What about when a fix does finally come available for woody, will it be an issue to bring the potato package up to that woody upgrade? There is the possibility of enabling protocol2 only on our ssh installation, which would make us safe, but is only an interim fix until an update comes available for woody, this an issue for people who cannot connect via protocol 2, and an annoyance/education effort for those who connect via protocol 1. All of these aren't great. Unless I am wrong, currently there is no known exploit for this hole, but that isn't that much of a reassurance either. Thanks, Micah
