abhi dhiman <abhi.dhiman83@xxxxxxxxx> writes: > Hi All, > > Actually I am working with the OpenSSH version 6.2p which is vulnerable to > above mentioned vulnerabilities. Are you sure? I was going to suggest that you take a look at Debian's packages, such as the 6.0p1 package from "wheezy", but looking at the changelog, I only see mention of CVE-2008-1483: http://metadata.ftp-master.debian.org/changelogs/main/o/openssh/openssh_6.0p1-4+deb7u3_changelog Likewise for 6.6p1: http://metadata.ftp-master.debian.org/changelogs/main/o/openssh/openssh_6.6p1-4~bpo70+1_changelog Note that CVE-2008-1483 was fixed in Debian's 4.7p1-5 package, in 22 Mar 2008, so I'm wondering who would have supplied a vulnerable version of 6.2p (release in 2012). It looks to me as though it was fixed in 4.9, so I'm very doubtful about the assertion that 6.2 is vulnerable. As for CVE-2015-6565, this: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-6565 claims that versions 6.8 and 6.9 are vulnerable, so again not 6.2. I'll leave you to look at the other two. Cheers, Phil. -- |)| Philip Hands [+44 (0)20 8530 9560] HANDS.COM Ltd. |-| http://www.hands.com/ http://ftp.uk.debian.org/ |(| Hugo-Klemm-Strasse 34, 21075 Hamburg, GERMANY
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
