Openssh vulnerabilities
Kevin Fenzi
kevin at tummy.com
Wed Jun 13 21:23:58 UTC 2007
On Wed, 13 Jun 2007 20:42:09 +0200
Tomas Mraz <tmraz at redhat.com> wrote:
Yeah, I wasn't sure about these.
> > +CVE-2007-2768 VULNERABLE (openssh)
> This is not an openssh vulnerability but PAM OPIE module one and we
> don't ship this module. -> NOT VULNERABLE
Sure, although someone who uses fedora could install the pam opie
module. I guess we can't worry too much about that.
> > +CVE-2007-2243 VULNERABLE (openssh, fixed 4.6)
> We don't ship openssh with S/KEY support compiled in. -> NOT
> VULNERABLE
Yeah, ditto here.
So, if the exploit requires recompiling or installing some non shipped
item, we should ignore?
What about if it's not exploitable with the default config, but is if a
user modifies their config?
I can mark those as ignore with a note...
Thanks,
kevin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/security/attachments/20070613/f5f78b5b/attachment.bin
More information about the security
mailing list