[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[suse-security] SSH and Apache warnings Nessus



Hi List!

I have two problems with a new installed SuSe Linux Professional 8.2.
All current patches are applied. Wehn I am scanning the box with the 
nessus I get the following warnings:

- 	You are running a version of OpenSSH which is older than 3.7.1

- 	You are running OpenSSH-portable 3.6.1p1 or older.

As I wrote before I installed the latest SSH Version from SuSe.
Is this O.K. and just an Nessus Problem with the SuSe version of 
SSH?

- 	The remote HTTP server allows an attacker to read arbitrary files
	on the remote web server, simply by adding a slash in front of its name. 
	Example: GET //etc/passwd will return /etc/passwd.

I already installed the newest SuSe Apache 1.3 package. Where is the problem?
Amazing is that the GET request does not return the whole passwd but only two 
lines.

Any suggestions?

Thanks,
Daniel








-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here