On 14/09/2011 22:36, bsalamon wrote:

> Novell posts no affected products or platforms in regards to the openssh
> force directive vulnerability.
> Does anyone know where further information can be found? I have to
> provide evidence that we
> are not impacted by this vulnerability and right now the only thing I
> think of is demonstrating that a Novell
> version of the operating system is in use.
> 'CVE-2008-1657'
> (http://support.novell.com/security/c...2008-1657.html)

That's an old vulnerability so you would expect it to be fixed in recent
versions of OpenSSH.

However Novell don't always appear to use later versions of software with
SLES, preferring to stick with an earlier stable version but backporting
certain fixes. So whilst you may appear to have an affected version
installed it doesn't actually have the particular issue.

You can try using the following command to see if Novell have noted this
particular vulnerability in the changelog for the openssh package

rpm -q --changelog openssh | grep "CVE-2008-1657"

Novell Knowledge Partner (NKP)