Hi Salvatore,
Thank you for that very useful link.
The only outstanding concern from my list is:
ID: OSVDB 14400
THREAT:
The SSH server running on the remote host is affected by an information
disclosure vulnerability.
IMPACT:
According to its banner, the version of OpenSSH running on the remote
host is prior to 7.5. It is, therefore, affected by an information
disclosure vulnerability :
- An unspecified timing flaw exists in the CBC padding oracle
countermeasures, within the ssh and sshd functions, that allows an
unauthenticated, remote attacker to
disclose potentially sensitive information.
Note that the OpenSSH client disables CBC ciphers by default. However,
sshd offers them as lowest-preference options, which will be removed by
default in a future
release. (VulnDB 144000)
SOLUTION:
Upgrade to OpenSSH version 7.5 or later.
Can you advise of the best alternative fix as 7.5 only appears to be
available in unstable releases (buster and sid)?
In Debian world - what's the relation / difference between OSVDBs and CVEs ?
Regards
Adam
On 09/08/2017 09:36, Salvatore Bonaccorso wrote:
Hi
On Wed, Aug 09, 2017 at 09:21:42AM +0100, Adam Weremczuk wrote:
Hello,
Could somebody confirm the status of the following:
CVE-2014-1692
CVE-2014-2532
CVE-2015-5352
CVE-2015-5600
CVE-2015-6563
CVE-2015-6564
CVE-2015-6565
CVE-2016-10009
CVE-2016-10010
CVE-2016-10011
CVE-2016-10012
OSVDB-144000
in 6.0p1-4+deb7u6 ?
The security-tracker can help you verifying the status for certain
CVEs and source packages. For openssh, have a look at:
https://security-tracker.debian.org/tracker/source-package/openssh
I've searched for references in
/usr/share/doc/openssh-server/changelog.Debian on a system running
6.0p1-4+deb7u6 version on wheezy 7.1 but couldn't find them.
Also:
https://packages.debian.org/wheezy/openssh-server --> "Debian Changelog"
returns 404 not found.
Why is that?
That's unfortunately because of https://bugs.debian.org/490848 (and
the related merged bugs).
Regards,
Salvatore
