Re: OSVDB-166706
On Mon, Nov 13, 2017 at 12:57:48PM +0000, Adam Weremczuk wrote:
> Our quarterly PCI compliance scan has just challenged us on the following:
> https://vulners.com/nessus/OPENSSH_76.NASL
> Also referred to as OSVDB-166706.
The only security fix in OpenSSH 7.6 is:
| * sftp-server(8): in read-only mode, sftp-server was incorrectly
| permitting creation of zero-length files. Reported by Michal
| Zalewski.
> As it's quite new I can't find much information on it online in terms of
> potential hotfixes and workarounds.
There seems to be no CVE id, so it may not really show up on the radar.
> There is no openssh version available for wheezy newer than 6.0p1-4+deb7u6
> which we currently have installed.
> This makes me assuming it's either unimportant or in the makings.
Have you actually read the description?
> I trust Debian team on security, just need to satisfy the scanner, even if
> it's just a plain text convincing explanation...
Don't run read-only sftp servers?
Bastian
--
... The prejudices people feel about each other disappear when they get
to know each other.
-- Kirk, "Elaan of Troyius", stardate 4372.5
Reply to: