Re: openssh_7.2p2+ availability for wheezy

To: Adam Weremczuk <adamw@matrixscience.com>
Cc: Thorsten Glaser <t.glaser@tarent.de>, Roberto C. Sánchez <roberto@debian.org>, debian-lts@lists.debian.org, debian-backports@lists.debian.org
Subject: Re: openssh_7.2p2+ availability for wheezy
From: Russ Allbery <rra@debian.org>
Date: Thu, 27 Jul 2017 09:19:32 -0700
Message-id: <[🔎] 87d18lg8dn.fsf@hope.eyrie.org>
In-reply-to: <[🔎] 602474d8-fe3a-9be2-823b-7993adb1d2d0@matrixscience.com> (Adam Weremczuk's message of "Thu, 27 Jul 2017 16:20:09 +0100")
References: <[🔎] fa0ade4c-33f9-8f5e-e22c-fc92972130e1@matrixscience.com> <[🔎] 20170727134302.GA5182@santiago.connexer.com> <[🔎] 8d39708f-01b9-7430-bd95-303f9bd1fe21@matrixscience.com> <[🔎] alpine.DEB.2.20.1707271652480.2803@tglase.lan.tarent.de> <[🔎] 602474d8-fe3a-9be2-823b-7993adb1d2d0@matrixscience.com>

Adam Weremczuk <adamw@matrixscience.com> writes:

> Does their flagging mean they don't know how Debian security patching
> works?

They probably just don't care.  Most of those firms do literally nothing
other than running Nessus on your server remotely and then giving you the
results formatted to make a manager happy (and charging you a ton of money
for doing so).  Nessus determines vulnerabilities primarily by asking the
server for what version of sshd it's running, and is not at all
intelligent about the patching policies of local distributions.

Filtering out false positives from Nessus is nearly a full time job (about
95% of Nessus results are wrong).  Most security audit firms don't bother;
people seem happy to pay them anyway, so why bother do any extra work?

Anyway, the two vulnerabilities that you're trying to deal with are
CVE-2016-3115 (X11 CRLF injection) and CVE-2014-2532 (AcceptEnv
wildcards).  CVE-2014-2532 is fixed in wheezy already, via a security
update (fixed as of 1:6.0p1-4+deb7u1).  CVE-2016-3115 does not appear to
be fixed in wheezy (although if I understand the bug correctly, it only
applies to forced command configurations in authorized_keys which also
allow X11 forwarding, with a fairly simple workaround of just adding
no-X11-forwarding to the relevant authorized_keys lines).

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Reply to:

References:
- openssh_7.2p2+ availability for wheezy
  - From: Adam Weremczuk <adamw@matrixscience.com>
- Re: openssh_7.2p2+ availability for wheezy
  - From: Roberto C. Sánchez <roberto@debian.org>
- Re: openssh_7.2p2+ availability for wheezy
  - From: Adam Weremczuk <adamw@matrixscience.com>
- Re: openssh_7.2p2+ availability for wheezy
  - From: Thorsten Glaser <t.glaser@tarent.de>
- Re: openssh_7.2p2+ availability for wheezy
  - From: Adam Weremczuk <adamw@matrixscience.com>

Prev by Date: Re: openssh_7.2p2+ availability for wheezy
Next by Date: Re: openssh_7.2p2+ availability for wheezy
Previous by thread: Re: openssh_7.2p2+ availability for wheezy
Next by thread: Re: openssh_7.2p2+ availability for wheezy
Index(es):
- Date
- Thread