Re: security report
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
A long time ago, in a galaxy far, far way, someone said...
>
> Dear Debian People,
>
> I got the following security audit of a machine I recently installed
> Debian 2.2r3 on.
This looks like output from nessus. Take everything it reports with a
grain of salt.
> I have run apt-get update and apt-get upgrade on it. The most serious
> problem appears to be with ssh. What should I do about this, if
> anything?
>
> Should I upgrade to a more recent version of ssh from testing? The current
> version of Openssh1.is at 1.2.3-9.3 and the most recent version is 2.9.
IIRC the biggest problem with OpenSSH is that the protocol isn't the
greatest.
There's a reason the package version is 1.2.3-9.3 - there have been a
number of security-related uploads since Potato was released.
It also can't tell the difference between SSH 1.2.9 and OpenSSH 1.2.9,
which is why it told you about the security hole.
> In any case, I thought security vulnerabilities were supposed to be
> fixed in stable.
They are. If you find one I think the people on the debian security team
would like to know about it.
> And does anyone have thoughts about the other warnings reported?
For the most part nessus is crying wolf. You may want to disable the
daytime service in /etc/inetd.conf, however.
- --
- ----------------------------------------------------------------------
Phil Brutsche pbrutsch@tux.creighton.edu
GPG fingerprint: 9BF9 D84C 37D0 4FA7 1F2D 7E5E FD94 D264 50DE 1CFC
GPG key id: 50DE1CFC
GPG public key: http://tux.creighton.edu/~pbrutsch/gpg-public-key.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: Made with pgp4pine
iD8DBQE7QKEm/ZTSZFDeHPwRAoaoAKDgAhVdVMHzLKId9SKTgdnBxPJoWwCeKT5i
4o26P208OyPvwO+8eB5UzX4=
=/4ss
-----END PGP SIGNATURE-----
Reply to: