Hi Timo, On 01/27/17 11:46, Timo Weingärtner wrote: > Hi, > > 2017-01-27 08:39:41 CET Harald Dunkel: >> openVAS complains about Jessie's openssh 6.7, recommending >> an upgrade to at least version 7.3. I wonder if it would be >> possible to add a backport to Jessie? >> >> AFAICT openssh 1:7.4p1-5 builds on Jessie out-of-the-box. > > At least back in the days when it was called nessus it did not know about > security fixes cherry-picked by debian, but it showed the CVEs. Please check > which of these — if any — are still unfixed in jessie-security. > openVAS still doesn't know about the fixes in Debian's package. It complains about CVE-2016-6515 CVE-2015-6564, CVE-2015-6563, CVE-2015-5600 CVE-2016-10009, CVE-2016-10010, CVE-2016-10011, CVE-2016-10012 CVE-2015-8325 AFAICT the 2016 issues are not fixed in Jessie's openssh. > If it's not for security: which features are missing for your use case? > This is about making openVAS shut up. I want to show that it doesn't complain anymore. Don't get me wrong: I built 7.4 for my private repository. But I wonder why there is no backport provided by Debian, as for Wheezy? Regards Harri
Attachment:
signature.asc
Description: OpenPGP digital signature