[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[suse-security] Re: SSH and Apache warnings Nessus
On Mon, Oct 06, 2003 at 08:09:37AM +0100, Hollweg, Daniel wrote:
> I have two problems with a new installed SuSe Linux Professional 8.2.
> All current patches are applied. Wehn I am scanning the box with the
> nessus I get the following warnings:
> - You are running a version of OpenSSH which is older than 3.7.1
> - You are running OpenSSH-portable 3.6.1p1 or older.
If possible SuSE applies fixes to software versions originally delivered
with some SuSE distribution. Therefore upgrading to the newest
versions is not neccessary.
> Is this O.K. and just an Nessus Problem with the SuSe version of
> - The remote HTTP server allows an attacker to read arbitrary files
> on the remote web server, simply by adding a slash in front of its name.
> Example: GET //etc/passwd will return /etc/passwd.
There has been a vulnerability in mod_rewrite, but it should be no
problem using apache installed with SuSE 8.2.
> I already installed the newest SuSe Apache 1.3 package. Where is the problem?
> Amazing is that the GET request does not return the whole passwd but only two
Is this just some nessus information or did you reproduce the
Stefan Tichy <listuser@xxxxxxxxx>
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here