[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [opensuse-security] openSSH, 11.3 and CVE-2011-0539

On Monday 18 July 2011 at 11:43 Marcus Meissner wrote:
> > 
> > Presumably there are no 'gotchas' if we install the factor version on
> > 11.3? It will probably turn out to be easier than convincing
> > securitymetrics that their scanner is wrong.
> Try it, if it works you will know immediatey, if it does not also...

> You should really push back, otherwise they will come back and back and
> back.... 

Oh yes. These guys even fail you for running an ftp server. Despite the fact 
that the failure report acknowledges that a correctly configured ftp server is 
not a security risk. (And, of course, we are running vsftp.)

And the latest scan fails us for various XSS errors that they claim are PHP 
based. In fact the site is running on Python :-)  They are probably right 
about the XSS vulnerability but one tends to lose confidence in them because 
they add so much bullshit.

> Treaten to get a different auditor with more clues.

I wish. I think they were chosen by the bank.   

Paul Reeves
To unsubscribe, e-mail: opensuse-security+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-security+help@xxxxxxxxxxxx