PDA

View Full Version : CVE-2008-1657 - SLES Servers



bsalamon
14-Sep-2011, 22:36
Novell posts no affected products or platforms in regards to the openssh
force directive vulnerability.
Does anyone know where further information can be found? I have to
provide evidence that we
are not impacted by this vulnerability and right now the only thing I
think of is demonstrating that a Novell
version of the operating system is in use.
'CVE-2008-1657'
(http://support.novell.com/security/cve/CVE-2008-1657.html)


--
bsalamon
------------------------------------------------------------------------
bsalamon's Profile: http://forums.novell.com/member.php?userid=116669
View this thread: http://forums.novell.com/showthread.php?t=444733

ab
14-Sep-2011, 22:46
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

My SLES 10 servers have OpenSSH 4.2 (too early) and my SLES 11 servers
have OpenSSH 5.1 (too late). What's the concern?

Good luck.

- --
Want to yell at me in person?
Come to BrainShare 2011 in October: http://tinyurl.com/brainshare2011
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.15 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJOcSCeAAoJEF+XTK08PnB5xd4P/iJ5ox5lu/rK3HRI87MrH1lS
Jnm+VxLH923OoNaDW/D1rIRuVUE1KvNB8ZxDqlLKLeI+9OfCfdcUrfsDPUNqCU8K
/HB/5OFz/WXH1q069khjtMjTbtdqVemp7WeIfWewj2nk3YyMiuBSI3rbmJu fhk7g
xAqeZ34AcTQVwjv4KcYF20h8rmtGPsvzZR0Q19thAFC9T8WcUT 5S7jMUTaqSX/bA
2nq2IGwu/LSaTnrpkwDSP49U8R/gFoiHLRwgMD3nyDDUDKdNWD4WBD0Qg2qV11Ue
DfRkLrc21OSw+Xlw6HpkS2tumFNC+q9th0N42E+sl1TkVAe1fv F5yENh+sB2D+17
WP6gK0xLWoeSpf9tO3jDcP9LCDZrQ8u4ijyO7vwLzZrZcLhcWu iuAyEjCyPzSYOD
TE0SDjzzcuMMSjKr/3mMgm+hPyJcLzk9/QMf+gOa79coYXuBS2e/QoBuwvyu8Y7e
fUMy5BEYS6Vz/Xihx8UHkvZFY8pn+ZPlBcel8PFULEPpVqn3ZQOCbuiN60YxFZQ 9
RSAhDa/RB7xVTZ6c/EaqPA8ydrwaVcZ2wvmtOEU0aUQGW8rPZcEAk7F/HHrzOcF0
+syR9hR0zKGINpdqcfzlEb/31wFBqTiAGsPKIxepBZc7svOqLnV+DaeoZVacaj+D
dbLTICduJ6ggBEimTc1N
=Yu9P
-----END PGP SIGNATURE-----

Simon Flood
14-Sep-2011, 23:17
On 14/09/2011 22:36, bsalamon wrote:

> Novell posts no affected products or platforms in regards to the openssh
> force directive vulnerability.
> Does anyone know where further information can be found? I have to
> provide evidence that we
> are not impacted by this vulnerability and right now the only thing I
> think of is demonstrating that a Novell
> version of the operating system is in use.
> 'CVE-2008-1657'
> (http://support.novell.com/security/cve/CVE-2008-1657.html)

That's an old vulnerability so you would expect it to be fixed in recent
versions of OpenSSH.

However Novell don't always appear to use later versions of software with
SLES, preferring to stick with an earlier stable version but backporting
certain fixes. So whilst you may appear to have an affected version
installed it doesn't actually have the particular issue.

You can try using the following command to see if Novell have noted this
particular vulnerability in the changelog for the openssh package

rpm -q --changelog openssh | grep "CVE-2008-1657"

HTH.
--
Simon
Novell Knowledge Partner (NKP)