On Mon, Jul 18, 2011 at 11:27:29AM +0200, paul wrote:
On Monday 18 July 2011 at 10:23 Ludwig Nussel wrote:
paul wrote:
We failed a pci-dss compliance test because the version of openSSH for 11.3 doesn't have the fix for CVE-2011-0539. In fact, there hasn't been any update to openSSH for 11.3 since Jun 2010.
If you have a use case that requires pci-dss compliance you may find SLES better suite your needs.
Unfortunately we are not (yet) generating sufficient income for that. :-(
Anyways, CVE-2011-0539 affects openssh >= 5.6 while 11.3 has 5.4. https://bugzilla.novell.com/show_bug.cgi?id=669477
Hmmm. The pci-dss scanner is not very bright. It is convinced that 5.4 is vulnerable. I guess I will have to go and argue with those guys. (Their scanner also flags up an error that we are running OpenSSH v2.0. Never mind that the previous error for the CVE clearly identifies us as running 5.4).
Presumably there are no 'gotchas' if we install the factor version on 11.3? It will probably turn out to be easier than convincing securitymetrics that their scanner is wrong.
Try it, if it works you will know immediatey, if it does not also... You should really push back, otherwise they will come back and back and back.... Treaten to get a different auditor with more clues. Ciao, Marcus -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org