[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [opensuse-security] openSSH, 11.3 and CVE-2011-0539

On Mon, Jul 18, 2011 at 11:27:29AM +0200, paul wrote:
> On Monday 18 July 2011 at 10:23 Ludwig Nussel wrote:
> > paul wrote:
> > > We failed a pci-dss compliance test because the version of openSSH for
> > > 11.3 doesn't have the fix for CVE-2011-0539. In fact, there hasn't been
> > > any update to openSSH for 11.3 since Jun 2010.
> > 
> > If you have a use case that requires pci-dss compliance you may find
> > SLES better suite your needs.
> Unfortunately we are not (yet) generating sufficient income for that. :-(
> > Anyways, CVE-2011-0539 affects openssh >= 5.6 while 11.3 has 5.4.
> > https://bugzilla.novell.com/show_bug.cgi?id=669477
> Hmmm. The pci-dss scanner is not very bright. It is convinced that 5.4 is 
> vulnerable. I guess I will have to go and argue with those guys. (Their 
> scanner also flags up an error that we are running OpenSSH v2.0. Never mind 
> that the previous error for the CVE clearly identifies us as running 5.4).
> Presumably there are no 'gotchas' if we install the factor version on 11.3? It 
> will probably turn out to be easier than convincing securitymetrics that their 
> scanner is wrong.

Try it, if it works you will know immediatey, if it does not also... 

You should really push back, otherwise they will come back and back and back....
Treaten to get a different auditor with more clues.

Ciao, Marcus
To unsubscribe, e-mail: opensuse-security+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-security+help@xxxxxxxxxxxx