Debian Security Advisory DSA 086-1 (ssh-nonfree, ssh-socks)

The remote host is missing an update to ssh-nonfree, ssh-socks announced via advisory DSA 086-1.
We have received reports that the SSH CRC-32 compensation attack detector vulnerability is being actively exploited. This is the same integer type error previously corrected for OpenSSH in DSA-027-1. OpenSSH (the Debian ssh package) was fixed at that time, but ssh-nonfree and ssh-socks were not. Though packages in the non-free section of the archive are not officially supported by the Debian project, we are taking the unusal step of releasing updated ssh-nonfree/ssh-socks packages for those users who have not yet migrated to OpenSSH. However, we do recommend that our users migrate to the regularly supported, DFSG-free ssh package as soon as possible. ssh 1.2.3-9.3 is the OpenSSH package available in Debian 2.2r4. The fixed ssh-nonfree/ssh-socks packages are available in version 1.2.27-6.2 for use with Debian 2.2 (potato) and version 1.2.27-8 for use with the Debian unstable/testing distribution. Note that the new ssh-nonfree/ssh-socks packages remove the setuid bit from the ssh binary, disabling rhosts-rsa authentication. If you need this functionality, run chmod u+s /usr/bin/ssh1 after installing the new package.