Re: need to update the following after security audit

[Anthony J Placilla <anthony_placilla SUTH COM>]

On Tue, 2005-04-12 at 11:21 -0700, Leuy Eeelyu wrote:
> > a simple 
> > rpm -qi --changelog openssh-server |grep CAN
> > 
> > gave us
> > - additional buffer manipulation fixes
> > (CAN-2003-0695)
> >   (CAN-2003-0693)
> > 
> > appealed as a false positve due to vendor backport &
> > it was approved.
> 
> May I know what is meant by this output? what is
> CAN-2003-0695 and 0693 refering to? My English not
> very good.  In your last statement, You meant you
> accept vendor suggestion to upgrade the openssh
> version 
> 
> My output shown below
> [root box root]# rpm -qi --changelog openssh-server
> |grep CAN
> - additional buffer manipulation fixes (CAN-2003-0695)
>   (CAN-2003-0693)
> - additional buffer manipulation fixes (CAN-2003-0695)
>   (CAN-2003-0693)


The outside vendor scanned our systems.
Our SSH & SFTP server reported it's version string as an older version
number. As expected
The security testing vendor failed us based on this version string &
told us that we needed to upgrade OpenSSH because, based only on the
version string, it was vulnerable to
 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0695

I told them, in my false positive appeal, that we were running a version
of OpenSSH that had the fix backported in & provided the listed output
to back up my claim.

I did not upgrade OpenSSH. I didn't need to because all appropriate
fixes were already in the RH supplied version.


-- 
Tony Placilla, RHCT
anthony_placilla suth com

J.O.A.T.

GPG-Key-ID: 1024D/C78F8B64              http://pgp.mit.edu
Key fingerprint = A8D5 7AFF CE88 4179 C792  D9A9 F197 2A15 C78F 8B64