[opensuse-security] openSSH, 11.3 and CVE-2011-0539
We failed a pci-dss compliance test because the version of openSSH for 11.3 doesn't have the fix for CVE-2011-0539. In fact, there hasn't been any update to openSSH for 11.3 since Jun 2010. I can see that the fix is in the version in factory. The change log has: - Update to 5.8p1 * Fix vulnerability in legacy certificate signing introduced in OpenSSH-5.6 and found by Mateusz Kocielski. which looks like the fix for CVE-2011-0539. Two questions: 1/ Is there any reason why this fix hasn't been ported to 11.3? 2/ Any reason why I might have problems taking the factory source and building it for myself? Paul -- Paul Reeves -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
paul wrote:
We failed a pci-dss compliance test because the version of openSSH for 11.3 doesn't have the fix for CVE-2011-0539. In fact, there hasn't been any update to openSSH for 11.3 since Jun 2010.
If you have a use case that requires pci-dss compliance you may find SLES better suite your needs. Anyways, CVE-2011-0539 affects openssh >= 5.6 while 11.3 has 5.4. https://bugzilla.novell.com/show_bug.cgi?id=669477 cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg) -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
On Monday 18 July 2011 at 10:23 Ludwig Nussel wrote:
paul wrote:
We failed a pci-dss compliance test because the version of openSSH for 11.3 doesn't have the fix for CVE-2011-0539. In fact, there hasn't been any update to openSSH for 11.3 since Jun 2010.
If you have a use case that requires pci-dss compliance you may find SLES better suite your needs.
Unfortunately we are not (yet) generating sufficient income for that. :-(
Anyways, CVE-2011-0539 affects openssh >= 5.6 while 11.3 has 5.4. https://bugzilla.novell.com/show_bug.cgi?id=669477
Hmmm. The pci-dss scanner is not very bright. It is convinced that 5.4 is vulnerable. I guess I will have to go and argue with those guys. (Their scanner also flags up an error that we are running OpenSSH v2.0. Never mind that the previous error for the CVE clearly identifies us as running 5.4). Presumably there are no 'gotchas' if we install the factor version on 11.3? It will probably turn out to be easier than convincing securitymetrics that their scanner is wrong. Paul -- Paul Reeves -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
On Mon, Jul 18, 2011 at 11:27:29AM +0200, paul wrote:
On Monday 18 July 2011 at 10:23 Ludwig Nussel wrote:
paul wrote:
We failed a pci-dss compliance test because the version of openSSH for 11.3 doesn't have the fix for CVE-2011-0539. In fact, there hasn't been any update to openSSH for 11.3 since Jun 2010.
If you have a use case that requires pci-dss compliance you may find SLES better suite your needs.
Unfortunately we are not (yet) generating sufficient income for that. :-(
Anyways, CVE-2011-0539 affects openssh >= 5.6 while 11.3 has 5.4. https://bugzilla.novell.com/show_bug.cgi?id=669477
Hmmm. The pci-dss scanner is not very bright. It is convinced that 5.4 is vulnerable. I guess I will have to go and argue with those guys. (Their scanner also flags up an error that we are running OpenSSH v2.0. Never mind that the previous error for the CVE clearly identifies us as running 5.4).
Presumably there are no 'gotchas' if we install the factor version on 11.3? It will probably turn out to be easier than convincing securitymetrics that their scanner is wrong.
Try it, if it works you will know immediatey, if it does not also... You should really push back, otherwise they will come back and back and back.... Treaten to get a different auditor with more clues. Ciao, Marcus -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
Am Mon, 18 Jul 2011 11:43:44 +0200 schrieb Marcus Meissner <meissner@suse.de>:
You should really push back, otherwise they will come back and back and back....
Absolutely. Doing stupid things (like installing unmaintained Software versions) just to get past some totally clueless security certification is doing no good to your system security.
Treaten to get a different auditor with more clues.
Do such exist? I sometimes doubt it... -- Stefan Seyfried "Dispatch war rocket Ajax to bring back his body!" -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
On Monday 18 July 2011 at 11:43 Marcus Meissner wrote:
Presumably there are no 'gotchas' if we install the factor version on 11.3? It will probably turn out to be easier than convincing securitymetrics that their scanner is wrong.
Try it, if it works you will know immediatey, if it does not also...
:-)
You should really push back, otherwise they will come back and back and back....
Oh yes. These guys even fail you for running an ftp server. Despite the fact that the failure report acknowledges that a correctly configured ftp server is not a security risk. (And, of course, we are running vsftp.) And the latest scan fails us for various XSS errors that they claim are PHP based. In fact the site is running on Python :-) They are probably right about the XSS vulnerability but one tends to lose confidence in them because they add so much bullshit.
Treaten to get a different auditor with more clues.
I wish. I think they were chosen by the bank. Paul -- Paul Reeves -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
participants (4)
-
Ludwig Nussel -
Marcus Meissner -
paul -
Stefan Seyfried