On Wed, 13 Jun 2007 20:42:09 +0200
Tomas Mraz <tmraz(a)redhat.com> wrote:
Yeah, I wasn't sure about these.
> +CVE-2007-2768 VULNERABLE (openssh)
This is not an openssh vulnerability but PAM OPIE module one and we
don't ship this module. -> NOT VULNERABLE
Sure, although someone who uses fedora could install the pam opie
module. I guess we can't worry too much about that.
> +CVE-2007-2243 VULNERABLE (openssh, fixed 4.6)
We don't ship openssh with S/KEY support compiled in. -> NOT
VULNERABLE
Yeah, ditto here.
So, if the exploit requires recompiling or installing some non shipped
item, we should ignore?
What about if it's not exploitable with the default config, but is if a
user modifies their config?
I can mark those as ignore with a note...
Thanks,
kevin