Re: Need Help to Fix CVE-2008-1483, CVE-2008-5161, CVE-2015-5600 and CVE-2015-6565

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



abhi dhiman <abhi.dhiman83@xxxxxxxxx> writes:

> Hi All,
>
> Actually I am working with the OpenSSH version 6.2p which is vulnerable to
> above mentioned vulnerabilities.

Are you sure?

I was going to suggest that you take a look at Debian's packages, such
as the 6.0p1 package from "wheezy", but looking at the changelog, I only
see mention of CVE-2008-1483:

  http://metadata.ftp-master.debian.org/changelogs/main/o/openssh/openssh_6.0p1-4+deb7u3_changelog

Likewise for 6.6p1:

  http://metadata.ftp-master.debian.org/changelogs/main/o/openssh/openssh_6.6p1-4~bpo70+1_changelog

Note that CVE-2008-1483 was fixed in Debian's 4.7p1-5 package, in 22 Mar
2008, so I'm wondering who would have supplied a vulnerable version of
6.2p (release in 2012).

It looks to me as though it was fixed in 4.9, so I'm very doubtful
about the assertion that 6.2 is vulnerable.

As for CVE-2015-6565, this:

  https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-6565

claims that versions 6.8 and 6.9 are vulnerable, so again not 6.2.

I'll leave you to look at the other two.

Cheers, Phil.
-- 
|)|  Philip Hands  [+44 (0)20 8530 9560]  HANDS.COM Ltd.
|-|  http://www.hands.com/    http://ftp.uk.debian.org/
|(|  Hugo-Klemm-Strasse 34,   21075 Hamburg,    GERMANY

Attachment: signature.asc
Description: PGP signature

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux