newer versions of openSSH for SLES 11sp2?

Hi all,

I just built two new SLES 11sp2 servers and both of them have several vulnerabilities related to openSSH found by our Nessus scans. The fix to the problems is to upgrade to openSSH 5.9 or greater. The current version on the server is 5.1 and there are no later versions found in the novell repositories.

the latest version available from openssh.org is 6.1. If I was to install one of these later versions, how would it affect future updates from Novell. For example, if they later release an SP3 for SLES 11, would it overwrite the version of openssh I manually installed?

Thanks for the advice,
jg

Hi
What are the vulnerabilities Nessus reports? I would imagine they are
false positives.

Fixes (esp security related) are backported to the SLE versions. Do you
get update notification emails?


Cheers Malcolm °¿° (Linux Counter #276890)
openSUSE 12.2 (x86_64) Kernel 3.4.11-2.16-desktop
up 3:24, 3 users, load average: 0.04, 0.04, 0.05
CPU Intel® i5 CPU M520@2.40GHz | GPU Intel® Ironlake Mobile

If the fixes are backported to the current SLES versions, then how can Nessus be reporting false positives? I guess I don’t understand that part. And no, I don’t get update notification emails.

Hi
A lot of tools just check version numbers so whilst the version may be
older, fixes are actually in there and have been backported.

zypper if -t patch sledsp1-openssh

Refreshing service 'nu_novell_com'.
Loading repository data...
Reading installed packages...


Information for patch sledsp1-openssh:

Name: sledsp1-openssh
Version: 6672
Arch: noarch
Vendor: maint-coord@suse.de
Status: Installed
Category: security
Created On: Mon Aug 13 09:31:28 2012
Reboot Required: No
Package Manager Restart Required: No
Interactive: No
Summary: Security update for openssh
Description:

This collective security update of openssh fixes multiple security
issues:

* memory exhaustion in gssapi due to integer overflow (bnc#756370,
CVE-2011-5000)
* forced command option information leak (bnc#744643, CVE-2012-0814)

Additionally, the following bug has been fixed:

* bnc#752354 server-side delay upon user exiting a ssh session, due
to DNS queries from libaudit


Provides:
patch:sledsp1-openssh == 6672

Conflicts:
openssh.x86_64 < 5.1p1-41.55.1
openssh-askpass.x86_64 < 5.1p1-41.55.1

So what CVE’s does your audit application look for (or require) or do
you have a CVE reference?

You should subscribe to the patch emails as it’s a good reference point
to find further information.


Cheers Malcolm °¿° (Linux Counter #276890)
openSUSE 12.2 (x86_64) Kernel 3.4.11-2.16-desktop
up 19:23, 4 users, load average: 0.02, 0.03, 0.05
CPU Intel® i5 CPU M520@2.40GHz | GPU Intel® Ironlake Mobile