[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: need to update the following after security audit

From: Anthony J Placilla <anthony_placilla SUTH COM>
To: "Discussion of Red Hat Enterprise Linux 3 (Taroon)" <taroon-list redhat com>
Subject: Re: need to update the following after security audit
Date: Tue, 12 Apr 2005 13:42:25 -0400

On Tue, 2005-04-12 at 13:35 -0400, Avtar Gill wrote:
> Leuy Eeelyu wrote:
> 
> > Besides, I used the following command and know that
> > openssh-3.6.1p2-33.30.1 was last updated on 04 Mar
> > 2004. But what does it means to them?
> > 
> > [root box root]# rpm --query --changelog
> > openssh-3.6.1p2-33.30.1 | more
> > * Thu Mar 04 2004 Phil Knirsch <pknirsch redhat com>
> > 3.6.1p2-33.30.1
> > 
> > - Built RHLE3 U2 update package.
> 
> I believe you have an older version of that package installed.  The 
> latest one for RHEL3 is openssh-3.6.1p2-33.30.3
> 
> $ rpm -q --changelog openssh-3.6.1p2-33.30.3 | more
> * Mon Oct 04 2004 Nalin Dahyabhai <nalin redhat com> 3.6.1p2-33.30.3
> 
> - add a --enable-vendor-patchlevel option which allows a ShowPatchLevel 
> option
>    to enable display of a vendor patch level during version exchange 
> (#120285)
> - configure with --disable-strip to build useful debuginfo subpackages
> 
> * Mon Sep 27 2004 Nalin Dahyabhai <nalin redhat com>
> 
> - backport fix from 3.7 to use TCP_NODELAY for interactive connections again
> 
> [snip]
> 


Going back to the Management Education portion of your issue
I just went through this exercise with an external assesment. Initially
we were dinged hard because the vendor did rely on a simple version # as
reported by OpenSSHd. 

Here's the key thing. Any reliable vendor will specify the CAN # they
feel is applicable & caused the failure. In our case they yelled about
CAN-2003-0695

However any reputable vendor also has a methodology for reporting &
appealing based upon false positives.

a simple 
rpm -qi --changelog openssh-server |grep CAN

gave us
- additional buffer manipulation fixes (CAN-2003-0695)
  (CAN-2003-0693)

appealed as a false positve due to vendor backport & it was approved.

YMMV

-- 
Tony Placilla, RHCT
anthony_placilla suth com

J.O.A.T.

GPG-Key-ID: 1024D/C78F8B64              http://pgp.mit.edu
Key fingerprint = A8D5 7AFF CE88 4179 C792  D9A9 F197 2A15 C78F 8B64

References:
- Re: need to update the following after security audit
  - From: Leuy Eeelyu
- Re: need to update the following after security audit
  - From: Avtar Gill

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]