CVE-2008-1657 - SLES Servers

Novell posts no affected products or platforms in regards to the openssh
force directive vulnerability.
Does anyone know where further information can be found? I have to
provide evidence that we
are not impacted by this vulnerability and right now the only thing I
think of is demonstrating that a Novell
version of the operating system is in use.
‘CVE-2008-1657’
(http://support.novell.com/security/cve/CVE-2008-1657.html)

–
bsalamon

bsalamon’s Profile: http://forums.novell.com/member.php?userid=116669
View this thread: http://forums.novell.com/showthread.php?t=444733

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

My SLES 10 servers have OpenSSH 4.2 (too early) and my SLES 11 servers
have OpenSSH 5.1 (too late). What’s the concern?

Good luck.

Want to yell at me in person?
Come to BrainShare 2011 in October: http://tinyurl.com/brainshare2011
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.15 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJOcSCeAAoJEF+XTK08PnB5xd4P/iJ5ox5lu/rK3HRI87MrH1lS
Jnm+VxLH923OoNaDW/D1rIRuVUE1KvNB8ZxDqlLKLeI+9OfCfdcUrfsDPUNqCU8K
/HB/5OFz/WXH1q069khjtMjTbtdqVemp7WeIfWewj2nk3YyMiuBSI3rbmJufhk7g
xAqeZ34AcTQVwjv4KcYF20h8rmtGPsvzZR0Q19thAFC9T8WcUT5S7jMUTaqSX/bA
2nq2IGwu/LSaTnrpkwDSP49U8R/gFoiHLRwgMD3nyDDUDKdNWD4WBD0Qg2qV11Ue
DfRkLrc21OSw+Xlw6HpkS2tumFNC+q9th0N42E+sl1TkVAe1fvF5yENh+sB2D+17
WP6gK0xLWoeSpf9tO3jDcP9LCDZrQ8u4ijyO7vwLzZrZcLhcWuiuAyEjCyPzSYOD
TE0SDjzzcuMMSjKr/3mMgm+hPyJcLzk9/QMf+gOa79coYXuBS2e/QoBuwvyu8Y7e
fUMy5BEYS6Vz/Xihx8UHkvZFY8pn+ZPlBcel8PFULEPpVqn3ZQOCbuiN60YxFZQ9
RSAhDa/RB7xVTZ6c/EaqPA8ydrwaVcZ2wvmtOEU0aUQGW8rPZcEAk7F/HHrzOcF0
+syR9hR0zKGINpdqcfzlEb/31wFBqTiAGsPKIxepBZc7svOqLnV+DaeoZVacaj+D
dbLTICduJ6ggBEimTc1N
=Yu9P
-----END PGP SIGNATURE-----

On 14/09/2011 22:36, bsalamon wrote:
[color=blue]

Novell posts no affected products or platforms in regards to the openssh
force directive vulnerability.
Does anyone know where further information can be found? I have to
provide evidence that we
are not impacted by this vulnerability and right now the only thing I
think of is demonstrating that a Novell
version of the operating system is in use.
‘CVE-2008-1657’
(http://support.novell.com/security/cve/CVE-2008-1657.html)[/color]

That’s an old vulnerability so you would expect it to be fixed in recent
versions of OpenSSH.

However Novell don’t always appear to use later versions of software with
SLES, preferring to stick with an earlier stable version but backporting
certain fixes. So whilst you may appear to have an affected version
installed it doesn’t actually have the particular issue.

You can try using the following command to see if Novell have noted this
particular vulnerability in the changelog for the openssh package

rpm -q --changelog openssh | grep “CVE-2008-1657”

HTH.

Simon
Novell Knowledge Partner (NKP)