2 files changed, 28 insertions, 0 deletions
diff --git a/debian/README.compromised-keys b/debian/README.compromised-keys
index bfffc154a..7a9cb7657 100644
--- a/debian/README.compromised-keys
+++ b/debian/README.compromised-keys
@@ -138,3 +138,30 @@ OpenSSL:
 3. If certificates have been generated for use on other systems, they must be
   found and replaced as well.
+== Removing openssh-blacklist ==
+For the moment, the openssh-server package depends on openssh-blacklist, in
+order that the blacklist is deployed to the maximum possible number of
+systems to reduce the potential spread of worms exploiting this
+vulnerability. We acknowledge that this may be inconvenient for some small
+systems, but nevertheless feel that this was the best course of action.
+If you absolutely need to remove the blacklist from your system, then you
+can run the following commands to substitute a fake package for
+openssh-blacklist:
+  sudo apt-get install equivs
+  equivs-control openssh-blacklist.ctl
+  sed -i 's/^Package:.*/Package: openssh-blacklist/' openssh-blacklist.ctl
+  sed -i 's/^# Version:.*/Version: 9:1.0/' openssh-blacklist.ctl
+  equivs-build openssh-blacklist.ctl
+  sudo dpkg -i openssh-blacklist_1.0_all.deb
+Be warned: this circumvents a security measure for the sake of disk space.
+You should only do this if you have no other option, and if you are certain
+that no compromised keys will ever be generated on or copied onto this
+system.
+Once a sufficient amount of time and number of releases have passed, the
+openssh-blacklist package will be phased out.
diff --git a/debian/changelog b/debian/changelog
index 3c80768b5..9e4ec47bf 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -13,6 +13,7 @@ openssh (1:4.7p1-13) UNRELEASED; urgency=low
  * Drop openssh-client-udeb isinstallable hack, as main-menu (>= 1.26) now
    takes care of that (thanks, Frans Pop; closes: #484404).
  * Update DEB_BUILD_OPTIONS parsing code from policy 3.8.0.
+  * Add documentation on removing openssh-blacklist locally (see #484269).
 -- Colin Watson <cjwatson@debian.org>  Fri, 30 May 2008 23:26:25 +0100

diff --git a/debian/README.compromised-keys b/debian/README.compromised-keys index bfffc154a..7a9cb7657 100644 --- a/debian/README.compromised-keys +++ b/debian/README.compromised-keys
@@ -138,3 +138,30 @@ OpenSSL:
138		138
139	3. If certificates have been generated for use on other systems, they must be	139	3. If certificates have been generated for use on other systems, they must be
140	found and replaced as well.	140	found and replaced as well.
		141
		142	== Removing openssh-blacklist ==
		143
		144	For the moment, the openssh-server package depends on openssh-blacklist, in
		145	order that the blacklist is deployed to the maximum possible number of
		146	systems to reduce the potential spread of worms exploiting this
		147	vulnerability. We acknowledge that this may be inconvenient for some small
		148	systems, but nevertheless feel that this was the best course of action.
		149
		150	If you absolutely need to remove the blacklist from your system, then you
		151	can run the following commands to substitute a fake package for
		152	openssh-blacklist:
		153
		154	sudo apt-get install equivs
		155	equivs-control openssh-blacklist.ctl
		156	sed -i 's/^Package:.*/Package: openssh-blacklist/' openssh-blacklist.ctl
		157	sed -i 's/^# Version:.*/Version: 9:1.0/' openssh-blacklist.ctl
		158	equivs-build openssh-blacklist.ctl
		159	sudo dpkg -i openssh-blacklist_1.0_all.deb
		160
		161	Be warned: this circumvents a security measure for the sake of disk space.
		162	You should only do this if you have no other option, and if you are certain
		163	that no compromised keys will ever be generated on or copied onto this
		164	system.
		165
		166	Once a sufficient amount of time and number of releases have passed, the
		167	openssh-blacklist package will be phased out.


diff --git a/debian/changelog b/debian/changelog index 3c80768b5..9e4ec47bf 100644 --- a/debian/changelog +++ b/debian/changelog
@@ -13,6 +13,7 @@ openssh (1:4.7p1-13) UNRELEASED; urgency=low
13	* Drop openssh-client-udeb isinstallable hack, as main-menu (>= 1.26) now	13	* Drop openssh-client-udeb isinstallable hack, as main-menu (>= 1.26) now
14	takes care of that (thanks, Frans Pop; closes: #484404).	14	takes care of that (thanks, Frans Pop; closes: #484404).
15	* Update DEB_BUILD_OPTIONS parsing code from policy 3.8.0.	15	* Update DEB_BUILD_OPTIONS parsing code from policy 3.8.0.
		16	* Add documentation on removing openssh-blacklist locally (see #484269).
16		17
17	-- Colin Watson <cjwatson@debian.org> Fri, 30 May 2008 23:26:25 +0100	18	-- Colin Watson <cjwatson@debian.org> Fri, 30 May 2008 23:26:25 +0100
18		19