[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] SSH and Apache warnings Nessus



On Mon, Oct 06, 2003 at 08:09:37AM +0100, Hollweg, Daniel wrote:
> Hi List!
> 
> I have two problems with a new installed SuSe Linux Professional 8.2.
> All current patches are applied. Wehn I am scanning the box with the 
> nessus I get the following warnings:
> 
> - 	You are running a version of OpenSSH which is older than 3.7.1
> 
> - 	You are running OpenSSH-portable 3.6.1p1 or older.
> 
> As I wrote before I installed the latest SSH Version from SuSe.
> Is this O.K. and just an Nessus Problem with the SuSe version of 
> SSH?

it is.

This is a FAQ and a common misunderstanding, which probably should be
mentioned on www.suse.com/security :-)
SuSE doesn't bump up the packages to the latest version if there is a
security problem, instead they backport the patches to the Version which
was shipped. This can be considered a good thing, since you get less
compatibility issues. But it is not easily detected by simple scanners
like nessus.

> - 	The remote HTTP server allows an attacker to read arbitrary files
> 	on the remote web server, simply by adding a slash in front of its name. 
> 	Example: GET //etc/passwd will return /etc/passwd.

probably a configuration problem on your side, cant verify this here.

regards,

      Stefan
--
Stefan Seyfried

Senior Consultant community4you GmbH, Chemnitz, Germany. 
http://www.community4you.de http://www.open-eis.com

-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here