Hi Salvatore, Thank you for that very useful link. The only outstanding concern from my list is: ID: OSVDB 14400 THREAT:The SSH server running on the remote host is affected by an information disclosure vulnerability.
IMPACT:According to its banner, the version of OpenSSH running on the remote host is prior to 7.5. It is, therefore, affected by an information disclosure vulnerability : - An unspecified timing flaw exists in the CBC padding oracle countermeasures, within the ssh and sshd functions, that allows an unauthenticated, remote attacker to
disclose potentially sensitive information.Note that the OpenSSH client disables CBC ciphers by default. However, sshd offers them as lowest-preference options, which will be removed by default in a future
release. (VulnDB 144000) SOLUTION: Upgrade to OpenSSH version 7.5 or later.Can you advise of the best alternative fix as 7.5 only appears to be available in unstable releases (buster and sid)?
In Debian world - what's the relation / difference between OSVDBs and CVEs ? Regards Adam On 09/08/2017 09:36, Salvatore Bonaccorso wrote:
Hi On Wed, Aug 09, 2017 at 09:21:42AM +0100, Adam Weremczuk wrote:Hello, Could somebody confirm the status of the following: CVE-2014-1692 CVE-2014-2532 CVE-2015-5352 CVE-2015-5600 CVE-2015-6563 CVE-2015-6564 CVE-2015-6565 CVE-2016-10009 CVE-2016-10010 CVE-2016-10011 CVE-2016-10012 OSVDB-144000 in 6.0p1-4+deb7u6 ?The security-tracker can help you verifying the status for certain CVEs and source packages. For openssh, have a look at: https://security-tracker.debian.org/tracker/source-package/opensshI've searched for references in /usr/share/doc/openssh-server/changelog.Debian on a system running 6.0p1-4+deb7u6 version on wheezy 7.1 but couldn't find them. Also: https://packages.debian.org/wheezy/openssh-server --> "Debian Changelog" returns 404 not found. Why is that?That's unfortunately because of https://bugs.debian.org/490848 (and the related merged bugs). Regards, Salvatore