[WBEL-users] How do I know whether ssh is patched against the latest exploits?
Kirby Bohling
kbohling@birddog.com
Wed, 5 May 2004 15:21:28 -0500
On Wed, May 05, 2004 at 03:14:05PM -0400, Matt Grab wrote:
> I have 3.6.1p2-18 installed from up2date (whitebox channel from nc mirror).
> up2date says all packages on my system are current - none to update.
> I heard that ssh lower than 3.7 is remotely exploitable. But I also heard
> that redhat doesn't change the version numbers.
I think if you search the history of the list, you'll find a post, I
put out about exactly this topic. I believe the last person had a
nessus scan that was reporting he was vulnerable.
http://beau.org/pipermail/whitebox-users/2004-April/001241.html
You can't trust versions numbers. RedHat backports all fixes to
their versions. This is for capatibility, and stablitiy reasons.
The simple answer, is it's hard. Either trust the mirrors, or
don't. You can subscribe to the RedHat enterprise-watch-list. That
should alert you about upgrades on an ongoing basis.
Read up on it here:
https://www.redhat.com/mailman/listinfo/enterprise-watch-list/
Because the same SRPMS are used for both RHEL3.0 and WBEL3.0, they
probably have the same vulnerabilities. In the end, you end up
having to do your own to be absolutely sure. Generally, I just go
to the update site on RedHat, check the SRPM version. If the
verisons I have installed matches that, it's about as good as it's
going to get for me.
Thanks,
Kirby