On Wed, 13 Jun 2007 20:42:09 +0200 Tomas Mraz <tmraz@xxxxxxxxxx> wrote: Yeah, I wasn't sure about these. > > +CVE-2007-2768 VULNERABLE (openssh) > This is not an openssh vulnerability but PAM OPIE module one and we > don't ship this module. -> NOT VULNERABLE Sure, although someone who uses fedora could install the pam opie module. I guess we can't worry too much about that. > > +CVE-2007-2243 VULNERABLE (openssh, fixed 4.6) > We don't ship openssh with S/KEY support compiled in. -> NOT > VULNERABLE Yeah, ditto here. So, if the exploit requires recompiling or installing some non shipped item, we should ignore? What about if it's not exploitable with the default config, but is if a user modifies their config? I can mark those as ignore with a note... Thanks, kevin
Attachment:
signature.asc
Description: PGP signature
-- Fedora-security-list mailing list Fedora-security-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-security-list
