Re: Openssh vulnerabilities

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, 2007-06-13 at 15:23 -0600, Kevin Fenzi wrote:
> On Wed, 13 Jun 2007 20:42:09 +0200
> Tomas Mraz <tmraz@xxxxxxxxxx> wrote:
> 
> Yeah, I wasn't sure about these. 
> 
> > > +CVE-2007-2768 VULNERABLE (openssh)
> > This is not an openssh vulnerability but PAM OPIE module one and we
> > don't ship this module. -> NOT VULNERABLE
> 
> Sure, although someone who uses fedora could install the pam opie
> module. I guess we can't worry too much about that. 
As this cannot be fixed in the openssh code I wouldn't worry much about it.
And PAM OPIE documentation have remarks of the problem.

> > > +CVE-2007-2243 VULNERABLE (openssh, fixed 4.6)
> > We don't ship openssh with S/KEY support compiled in. -> NOT
> > VULNERABLE
> 
> Yeah, ditto here. 
> 
> So, if the exploit requires recompiling or installing some non shipped
> item, we should ignore? 
I think that we should ignore such vulnerabilities when it requires
recompiling. We did the same before. If it just requires installing a
some non-shipped item it should be evaluated individually whether it
should be ignored or not.

> What about if it's not exploitable with the default config, but is if a
> user modifies their config? 
These shouldn't be ignored although the severity is of course lower if
it is a really obscure configuration.

-- 
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
                                              Turkish proverb

--
Fedora-security-list mailing list
Fedora-security-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-security-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Coolkey]

  Powered by Linux