Mailinglist Archive: opensuse-security (9 mails)

< Previous Next >
Re: [opensuse-security] openSSH, 11.3 and CVE-2011-0539
On Mon, Jul 18, 2011 at 11:27:29AM +0200, paul wrote:
On Monday 18 July 2011 at 10:23 Ludwig Nussel wrote:

paul wrote:
We failed a pci-dss compliance test because the version of openSSH for
11.3 doesn't have the fix for CVE-2011-0539. In fact, there hasn't been
any update to openSSH for 11.3 since Jun 2010.

If you have a use case that requires pci-dss compliance you may find
SLES better suite your needs.

Unfortunately we are not (yet) generating sufficient income for that. :-(

Anyways, CVE-2011-0539 affects openssh >= 5.6 while 11.3 has 5.4.
https://bugzilla.novell.com/show_bug.cgi?id=669477

Hmmm. The pci-dss scanner is not very bright. It is convinced that 5.4 is
vulnerable. I guess I will have to go and argue with those guys. (Their
scanner also flags up an error that we are running OpenSSH v2.0. Never mind
that the previous error for the CVE clearly identifies us as running 5.4).

Presumably there are no 'gotchas' if we install the factor version on 11.3?
It
will probably turn out to be easier than convincing securitymetrics that
their
scanner is wrong.

Try it, if it works you will know immediatey, if it does not also...

You should really push back, otherwise they will come back and back and back....
Treaten to get a different auditor with more clues.

Ciao, Marcus
--
To unsubscribe, e-mail: opensuse-security+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-security+help@xxxxxxxxxxxx

< Previous Next >
List Navigation
Follow Ups
References