Re: OSVDB-166706

To: debian-security@lists.debian.org
Subject: Re: OSVDB-166706
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Mon, 13 Nov 2017 21:52:36 +0100
Message-id: <[🔎] 20171113205236.ojgxx26vblfq7se4@eldamar.local>
Mail-followup-to: debian-security@lists.debian.org
In-reply-to: <[🔎] 20171113201944.xsqni6pgnzpipbrn@shell.thinkmo.de>
References: <[🔎] 613e1ead-3566-e444-6f33-b30bdca06533@matrixscience.com> <[🔎] 20171113201944.xsqni6pgnzpipbrn@shell.thinkmo.de>

Hi

On Mon, Nov 13, 2017 at 09:19:45PM +0100, Bastian Blank wrote:
> On Mon, Nov 13, 2017 at 12:57:48PM +0000, Adam Weremczuk wrote:
> > Our quarterly PCI compliance scan has just challenged us on the following:
> > https://vulners.com/nessus/OPENSSH_76.NASL
> > Also referred to as OSVDB-166706.
> 
> The only security fix in OpenSSH 7.6 is:
> |  * sftp-server(8): in read-only mode, sftp-server was incorrectly
> |    permitting creation of zero-length files. Reported by Michal
> |    Zalewski.
> 
> > As it's quite new I can't find much information on it online in terms of
> > potential hotfixes and workarounds.
> 
> There seems to be no CVE id, so it may not really show up on the radar.

JFTR, this should be CVE-2017-15906.

Regards,
Salvatore

Reply to:

References:
- OSVDB-166706
  - From: Adam Weremczuk <adamw@matrixscience.com>
- Re: OSVDB-166706
  - From: Bastian Blank <waldi@debian.org>

Prev by Date: Re: OSVDB-166706
Next by Date: Upcoming stable point release
Previous by thread: Re: OSVDB-166706
Next by thread: Upcoming stable point release
Index(es):
- Date
- Thread