Openssh vulnerabilities
Tomas Mraz
tmraz at redhat.com
Thu Jun 14 08:18:09 UTC 2007
On Wed, 2007-06-13 at 15:23 -0600, Kevin Fenzi wrote:
> On Wed, 13 Jun 2007 20:42:09 +0200
> Tomas Mraz <tmraz at redhat.com> wrote:
>
> Yeah, I wasn't sure about these.
>
> > > +CVE-2007-2768 VULNERABLE (openssh)
> > This is not an openssh vulnerability but PAM OPIE module one and we
> > don't ship this module. -> NOT VULNERABLE
>
> Sure, although someone who uses fedora could install the pam opie
> module. I guess we can't worry too much about that.
As this cannot be fixed in the openssh code I wouldn't worry much about it.
And PAM OPIE documentation have remarks of the problem.
> > > +CVE-2007-2243 VULNERABLE (openssh, fixed 4.6)
> > We don't ship openssh with S/KEY support compiled in. -> NOT
> > VULNERABLE
>
> Yeah, ditto here.
>
> So, if the exploit requires recompiling or installing some non shipped
> item, we should ignore?
I think that we should ignore such vulnerabilities when it requires
recompiling. We did the same before. If it just requires installing a
some non-shipped item it should be evaluated individually whether it
should be ignored or not.
> What about if it's not exploitable with the default config, but is if a
> user modifies their config?
These shouldn't be ignored although the severity is of course lower if
it is a really obscure configuration.
--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
Turkish proverb
More information about the Fedora-security-list
mailing list