Re: OSVDB-166706

To: debian-security@lists.debian.org
Subject: Re: OSVDB-166706
From: Bastian Blank <waldi@debian.org>
Date: Mon, 13 Nov 2017 21:19:45 +0100
Message-id: <[🔎] 20171113201944.xsqni6pgnzpipbrn@shell.thinkmo.de>
Mail-followup-to: debian-security@lists.debian.org
In-reply-to: <[🔎] 613e1ead-3566-e444-6f33-b30bdca06533@matrixscience.com>
References: <[🔎] 613e1ead-3566-e444-6f33-b30bdca06533@matrixscience.com>

On Mon, Nov 13, 2017 at 12:57:48PM +0000, Adam Weremczuk wrote:
> Our quarterly PCI compliance scan has just challenged us on the following:
> https://vulners.com/nessus/OPENSSH_76.NASL
> Also referred to as OSVDB-166706.

The only security fix in OpenSSH 7.6 is:
|  * sftp-server(8): in read-only mode, sftp-server was incorrectly
|    permitting creation of zero-length files. Reported by Michal
|    Zalewski.

> As it's quite new I can't find much information on it online in terms of
> potential hotfixes and workarounds.

There seems to be no CVE id, so it may not really show up on the radar.

> There is no openssh version available for wheezy newer than 6.0p1-4+deb7u6
> which we currently have installed.
> This makes me assuming it's either unimportant or in the makings.

Have you actually read the description?

> I trust Debian team on security, just need to satisfy the scanner, even if
> it's just a plain text convincing explanation...

Don't run read-only sftp servers?

Bastian

-- 
... The prejudices people feel about each other disappear when they get
to know each other.
		-- Kirk, "Elaan of Troyius", stardate 4372.5

Reply to:

Follow-Ups:
- Re: OSVDB-166706
  - From: Salvatore Bonaccorso <carnil@debian.org>

References:
- OSVDB-166706
  - From: Adam Weremczuk <adamw@matrixscience.com>

Prev by Date: OSVDB-166706
Next by Date: Re: OSVDB-166706
Previous by thread: OSVDB-166706
Next by thread: Re: OSVDB-166706
Index(es):
- Date
- Thread