We failed a pci-dss compliance test because the version of openSSH for 11.3
doesn't have the fix for CVE-2011-0539. In fact, there hasn't been any update
to openSSH for 11.3 since Jun 2010.
I can see that the fix is in the version in factory. The change log has:
- Update to 5.8p1
* Fix vulnerability in legacy certificate signing introduced in
OpenSSH-5.6 and found by Mateusz Kocielski.
which looks like the fix for CVE-2011-0539.
1/ Is there any reason why this fix hasn't been ported to 11.3?
2/ Any reason why I might have problems taking the factory source and building
it for myself?
To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org
For additional commands, e-mail: opensuse-security+help(a)opensuse.org