[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: openssh_7.2p2+ availability for wheezy

Adam Weremczuk <adamw@matrixscience.com> writes:

> Does their flagging mean they don't know how Debian security patching
> works?

They probably just don't care.  Most of those firms do literally nothing
other than running Nessus on your server remotely and then giving you the
results formatted to make a manager happy (and charging you a ton of money
for doing so).  Nessus determines vulnerabilities primarily by asking the
server for what version of sshd it's running, and is not at all
intelligent about the patching policies of local distributions.

Filtering out false positives from Nessus is nearly a full time job (about
95% of Nessus results are wrong).  Most security audit firms don't bother;
people seem happy to pay them anyway, so why bother do any extra work?

Anyway, the two vulnerabilities that you're trying to deal with are
CVE-2016-3115 (X11 CRLF injection) and CVE-2014-2532 (AcceptEnv
wildcards).  CVE-2014-2532 is fixed in wheezy already, via a security
update (fixed as of 1:6.0p1-4+deb7u1).  CVE-2016-3115 does not appear to
be fixed in wheezy (although if I understand the bug correctly, it only
applies to forced command configurations in authorized_keys which also
allow X11 forwarding, with a fairly simple workaround of just adding
no-X11-forwarding to the relevant authorized_keys lines).

Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Reply to: