Results 1 to 3 of 3

Thread: VULNERABILITY: openSSH is failing PCI compliance scans

  1. #1

    Question VULNERABILITY: openSSH is failing PCI compliance scans

    Hi

    PCI compliance scans show the following for openSSH

    SSH-2.0-OpenSSH_6.6.1 detected

    A vulnerability has been reported in the application which exist when using ssh -X option, to connect to the SSH client's X server which allow
    connections without being subject to X11 SECURITY restrictions.
    Affected Versions:
    OpenSSH prior to version 6.9

    IMPACT:
    Succesful exploitation of this vulnerability will allow an attacker to interact with X server without being subject to X SECURITY restrictions or
    authentication

    SOLUTION:
    Users are advised to upgrade to the latest version of the software available. Refer to OpenSSH 6.9 Release Notes for further information.

    When is the openSSH in 13.1 and 13.2 going to be upgraded?

    Many thanks

  2. #2
    Join Date
    Jun 2008
    Location
    Podunk
    Posts
    26,669
    Blog Entries
    15

    Default Re: VULNERABILITY: openSSH is failing PCI compliance scans

    On Thu 27 Aug 2015 03:26:02 PM CDT, CNConrad wrote:


    Hi

    PCI compliance scans show the following for openSSH

    SSH-2.0-OpenSSH_6.6.1 detected

    A vulnerability has been reported in the application which exist when
    using ssh -X option, to connect to the SSH client's X server which allow
    connections without being subject to X11 SECURITY restrictions.
    Affected Versions:
    OpenSSH prior to version 6.9

    IMPACT:
    Succesful exploitation of this vulnerability will allow an attacker to
    interact with X server without being subject to X SECURITY restrictions
    or
    authentication

    SOLUTION:
    Users are advised to upgrade to the latest version of the software
    available. Refer to OpenSSH 6.9 Release Notes for further information.

    When is the openSSH in 13.1 and 13.2 going to be upgraded?

    Many thanks


    Hi
    Check the installed version changelog for the CVE reference, fixes are
    back ported so version numbers don't necessarily change. Sounds like
    your scanner is only looking at the version number, when it should
    possibly check for the vulnerability.

    --
    Cheers Malcolm °¿° LFCS, SUSE Knowledge Partner (Linux Counter #276890)
    SUSE Linux Enterprise Desktop 12 GNOME 3.10.1 Kernel
    3.12.44-52.10-default If you find this post helpful and are logged into
    the web interface, please show your appreciation and click on the star
    below... Thanks!


  3. #3
    Join Date
    Feb 2009
    Location
    Spain
    Posts
    25,547

    Default Re: VULNERABILITY: openSSH is failing PCI compliance scans

    On 2015-08-27 17:26, CNConrad wrote:
    > When is the openSSH in 13.1 and 13.2 going to be upgraded?


    *SUSE policy is not to update versions during the lifetime of stable
    distributions, but to backport security updates instead (with some
    exceptions). Thus, security analysis based on versions is useless on
    openSUSE.

    Unless the analyst checks the exact version and release, against a
    database of what was backported...

    --
    Cheers / Saludos,

    Carlos E. R.

    (from 13.1 x86_64 "Bottle" (Minas Tirith))

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •