[WBEL-users] Nessus reports "Security Hole" on openssh-server version
Kirby Bohling
kbohling@birddog.com
Thu, 22 Apr 2004 16:32:41 -0500
On Thu, Apr 22, 2004 at 03:00:28PM -0600, Jason Becker wrote:
> Hello All,
>
> I am a recent convert from Slackware so please bear with me...
>
> After installing WBEL and updating (yum -y update) I ran Nessus against
> my server. Nessus reports a "Security Hole" on the ssh port. Excerpts
> from the report:
>
If you look at the errata for RedHat 9.0, you'll find this entry:
https://rhn.redhat.com/errata/RHSA-2003-279.html
It mentions the same bug you mention, with exactly the same text.
The other important thing to notice is the sentence:
"We have also included fixes from Solar Designer for some additional
memory bugs. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2003-0682 to these
issues."
Now, run this:
rpm -q --changelog openssh-server | less
You'll notice the first entry in the ChangeLog says they included
the fixes from Solar Designer on the same date as the errata for
RedHat9 (Sept 17th, 2003).
The reason you don't see an errata, is that RedHat 3.0 wasn't
released until after that date. Judging by the timestamps on the
FTP site, sometime in October of 2003. Thus there would be no
errata for RH3.0. It was released after the fix was already
installed.
So my guess is it's all good. If you really, really want to know.
Go find the recommended patch fix for that, install the SRPM, go
look at the patches it has, make sure it has the fix from Solar
Designer as one of them.
Thanks,
Kirby