[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [suse-security] SSH and Apache warnings Nessus
On Mon, Oct 06, 2003 at 08:09:37AM +0100, Hollweg, Daniel wrote:
> Hi List!
> I have two problems with a new installed SuSe Linux Professional 8.2.
> All current patches are applied. Wehn I am scanning the box with the
> nessus I get the following warnings:
> - You are running a version of OpenSSH which is older than 3.7.1
> - You are running OpenSSH-portable 3.6.1p1 or older.
> As I wrote before I installed the latest SSH Version from SuSe.
> Is this O.K. and just an Nessus Problem with the SuSe version of
This is a FAQ and a common misunderstanding, which probably should be
mentioned on www.suse.com/security :-)
SuSE doesn't bump up the packages to the latest version if there is a
security problem, instead they backport the patches to the Version which
was shipped. This can be considered a good thing, since you get less
compatibility issues. But it is not easily detected by simple scanners
> - The remote HTTP server allows an attacker to read arbitrary files
> on the remote web server, simply by adding a slash in front of its name.
> Example: GET //etc/passwd will return /etc/passwd.
probably a configuration problem on your side, cant verify this here.
Senior Consultant community4you GmbH, Chemnitz, Germany.
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here