I just built two new SLES 11sp2 servers and both of them have several vulnerabilities related to openSSH found by our Nessus scans. The fix to the problems is to upgrade to openSSH 5.9 or greater. The current version on the server is 5.1 and there are no later versions found in the novell repositories.
the latest version available from openssh.org is 6.1. If I was to install one of these later versions, how would it affect future updates from Novell. For example, if they later release an SP3 for SLES 11, would it overwrite the version of openssh I manually installed?
A lot of tools just check version numbers so whilst the version may be
older, fixes are actually in there and have been backported.
zypper if -t patch sledsp1-openssh
Refreshing service 'nu_novell_com'.
Loading repository data...
Reading installed packages...
Information for patch sledsp1-openssh:
Created On: Mon Aug 13 09:31:28 2012
Reboot Required: No
Package Manager Restart Required: No
Summary: Security update for openssh
This collective security update of openssh fixes multiple security
* memory exhaustion in gssapi due to integer overflow (bnc#756370,
* forced command option information leak (bnc#744643, CVE-2012-0814)
Additionally, the following bug has been fixed:
* bnc#752354 server-side delay upon user exiting a ssh session, due
to DNS queries from libaudit
patch:sledsp1-openssh == 6672
openssh.x86_64 < 5.1p1-41.55.1
openssh-askpass.x86_64 < 5.1p1-41.55.1
So what CVE’s does your audit application look for (or require) or do
you have a CVE reference?
You should subscribe to the patch emails as it’s a good reference point
to find further information.
Cheers Malcolm Â°Â¿Â° (Linux Counter #276890)
openSUSE 12.2 (x86_64) Kernel 3.4.11-2.16-desktop
up 19:23, 4 users, load average: 0.02, 0.03, 0.05
CPU IntelÂ® i5 CPU M520@2.40GHz | GPU IntelÂ® Ironlake Mobile