On Mon, Oct 06, 2003 at 08:09:37AM +0100, Hollweg, Daniel wrote:
Hi List!
I have two problems with a new installed SuSe Linux Professional 8.2. All current patches are applied. Wehn I am scanning the box with the nessus I get the following warnings:
- You are running a version of OpenSSH which is older than 3.7.1
- You are running OpenSSH-portable 3.6.1p1 or older.
As I wrote before I installed the latest SSH Version from SuSe. Is this O.K. and just an Nessus Problem with the SuSe version of SSH?
it is. This is a FAQ and a common misunderstanding, which probably should be mentioned on www.suse.com/security :-) SuSE doesn't bump up the packages to the latest version if there is a security problem, instead they backport the patches to the Version which was shipped. This can be considered a good thing, since you get less compatibility issues. But it is not easily detected by simple scanners like nessus.
- The remote HTTP server allows an attacker to read arbitrary files on the remote web server, simply by adding a slash in front of its name. Example: GET //etc/passwd will return /etc/passwd.
probably a configuration problem on your side, cant verify this here. regards, Stefan -- Stefan Seyfried Senior Consultant community4you GmbH, Chemnitz, Germany. http://www.community4you.de http://www.open-eis.com