Thanks Steve, The scanner does indeed rely on banners (which can be completely unreliable especially on OpenBSD). However, I would like them to not knock over my servers trying to confirm the problem if I can easily determine that the patches are irrelevant. Of course this is a greater problem for holes that are not fixed but I can't tell which is the case without more information.
A centralized repository of vulnerability information would make my job maintaining OpenBSD systems much simpler and would provide yet another avenue to extoll the virtues of OpenBSD versus other operating systems (as in this case where the patch was released a year before the vulnerability was disclosed). I understand that correlating patches with as yet undisclosed or unidentified flaws is not possible. However, whenever a security vulnerability is announced, every administrator should be asking themself if their systems are vulnerable (even if they have tremendous confidence that OpenBSD would normally handle such problems proactively). Answering that question (as you have kindly answered for me) would be a normal part of the review process and documenting the result would be very beneficial to the OpenBSD community. Cheers, Dan On 10/18/06, Steve Shockley <[EMAIL PROTECTED]> wrote: > > Podo Carp wrote: > > I recently underwent an audit of my OpenBSD 3.8 systems and the audit > report > > identified CVE-2004-0700 (mod-proxy/mod_ssl format string vulnerability) > as > > a potential risk. > > Perhaps your scanner relies on reported versions, rather than actual > vulnerabilities? > > If I'm reading the vulnerability right, it was fixed here: > > > http://www.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/httpd/src/modules/ssl/ssl_engine_ext.c.diff?r1=1.9&r2=1.10&f=h > > The vuln was disclosed 7/27/2004, but was fixed 6/1/2003.
