abhi dhiman
2016-Mar-08 12:44 UTC
Need Help to Fix CVE-2008-1483, CVE-2008-5161, CVE-2015-5600 and CVE-2015-6565
Hi All, Actually I am working with the OpenSSH version 6.2p which is vulnerable to above mentioned vulnerabilities. So am looking for some help how I can fix these vulnerabilities in my version. I need to fix it in the OpenSSH code. Regards Abhishek
Gert Doering
2016-Mar-08 13:12 UTC
Need Help to Fix CVE-2008-1483, CVE-2008-5161, CVE-2015-5600 and CVE-2015-6565
Hi, On Tue, Mar 08, 2016 at 06:14:01PM +0530, abhi dhiman wrote:> Actually I am working with the OpenSSH version 6.2p which is vulnerable to > above mentioned vulnerabilities. > > So am looking for some help how I can fix these vulnerabilities in my > version. I need to fix it in the OpenSSH code."Upgrade to 7.2"? gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de
abhi dhiman
2016-Mar-08 13:19 UTC
Need Help to Fix CVE-2008-1483, CVE-2008-5161, CVE-2015-5600 and CVE-2015-6565
Hi Gert, Thanks for your reply. But we can't upgrade to 7.2 version also we don't have plan to upgrade in near future. Can I fix these vulnerabilities in the current version? Regards Abhishek On Tue, Mar 8, 2016 at 6:42 PM, Gert Doering <gert at greenie.muc.de> wrote:> Hi, > > On Tue, Mar 08, 2016 at 06:14:01PM +0530, abhi dhiman wrote: > > Actually I am working with the OpenSSH version 6.2p which is vulnerable > to > > above mentioned vulnerabilities. > > > > So am looking for some help how I can fix these vulnerabilities in my > > version. I need to fix it in the OpenSSH code. > > "Upgrade to 7.2"? > > gert > -- > USENET is *not* the non-clickable part of WWW! > // > www.muc.de/~gert/ > Gert Doering - Munich, Germany > gert at greenie.muc.de > fax: +49-89-35655025 > gert at net.informatik.tu-muenchen.de >-- abhi~dhiman
Philip Hands
2016-Mar-14 17:55 UTC
Need Help to Fix CVE-2008-1483, CVE-2008-5161, CVE-2015-5600 and CVE-2015-6565
abhi dhiman <abhi.dhiman83 at gmail.com> writes:> Hi All, > > Actually I am working with the OpenSSH version 6.2p which is vulnerable to > above mentioned vulnerabilities.Are you sure? I was going to suggest that you take a look at Debian's packages, such as the 6.0p1 package from "wheezy", but looking at the changelog, I only see mention of CVE-2008-1483: http://metadata.ftp-master.debian.org/changelogs/main/o/openssh/openssh_6.0p1-4+deb7u3_changelog Likewise for 6.6p1: http://metadata.ftp-master.debian.org/changelogs/main/o/openssh/openssh_6.6p1-4~bpo70+1_changelog Note that CVE-2008-1483 was fixed in Debian's 4.7p1-5 package, in 22 Mar 2008, so I'm wondering who would have supplied a vulnerable version of 6.2p (release in 2012). It looks to me as though it was fixed in 4.9, so I'm very doubtful about the assertion that 6.2 is vulnerable. As for CVE-2015-6565, this: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-6565 claims that versions 6.8 and 6.9 are vulnerable, so again not 6.2. I'll leave you to look at the other two. Cheers, Phil. -- |)| Philip Hands [+44 (0)20 8530 9560] HANDS.COM Ltd. |-| http://www.hands.com/ http://ftp.uk.debian.org/ |(| Hugo-Klemm-Strasse 34, 21075 Hamburg, GERMANY -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 818 bytes Desc: not available URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20160314/c2487b81/attachment-0001.bin>
abhi dhiman
2016-Mar-15 13:54 UTC
Need Help to Fix CVE-2008-1483, CVE-2008-5161, CVE-2015-5600 and CVE-2015-6565
Thanks a lot guys for the pointers. Regards Abhishek On 14-Mar-2016 11:30 pm, "Philip Hands" <phil at hands.com> wrote:> abhi dhiman <abhi.dhiman83 at gmail.com> writes: > > > Hi All, > > > > Actually I am working with the OpenSSH version 6.2p which is vulnerable > to > > above mentioned vulnerabilities. > > Are you sure? > > I was going to suggest that you take a look at Debian's packages, such > as the 6.0p1 package from "wheezy", but looking at the changelog, I only > see mention of CVE-2008-1483: > > > http://metadata.ftp-master.debian.org/changelogs/main/o/openssh/openssh_6.0p1-4+deb7u3_changelog > > Likewise for 6.6p1: > > > http://metadata.ftp-master.debian.org/changelogs/main/o/openssh/openssh_6.6p1-4~bpo70+1_changelog > > Note that CVE-2008-1483 was fixed in Debian's 4.7p1-5 package, in 22 Mar > 2008, so I'm wondering who would have supplied a vulnerable version of > 6.2p (release in 2012). > > It looks to me as though it was fixed in 4.9, so I'm very doubtful > about the assertion that 6.2 is vulnerable. > > As for CVE-2015-6565, this: > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-6565 > > claims that versions 6.8 and 6.9 are vulnerable, so again not 6.2. > > I'll leave you to look at the other two. > > Cheers, Phil. > -- > |)| Philip Hands [+44 (0)20 8530 9560] HANDS.COM Ltd. > |-| http://www.hands.com/ http://ftp.uk.debian.org/ > |(| Hugo-Klemm-Strasse 34, 21075 Hamburg, GERMANY >