I also got OpenSSH red flag (ID 22466) for Debian Etch, OpenSSH
1:4.3p2-9. The systems have been clean until most recent scan (10/18).
We run many Debian Etch servers, and a lot of red flags.
Are they also false positives? I read some changelogs of Debian
OpenSSH server package, looks at at least the 2005-5051 is fixed in
1:4.3p2-4.
Xueshan
Quoting Jeff Chapin <Jeff.Chapin@t8design.com>:
Hello,
CentOS release 4.5 (Final), with CPanel here. Using a nessus scan with
ssh credentials, I am getting the following as a critical error:
According to its banner, the version of OpenSSH installed on the
remote host contains a race condition that may allow an
unauthenticated remote attacker to crash the service or, on portable
OpenSSH, possibly execute code on the affected host. In addition,
another flaw exists that may allow an attacker to determine the
validity of usernames on some platforms.
However, from the linked CVE, and the linked Redhat Errata
(RHSA-2006:0698-8) it appears that this is a corrected issue with a
backported patch. I am not sure that the version I have is NOT
vulnerable, or that I am reading this documentation correctly.
Here is some additional info that may be relevant:
Installed Packages
openssh.i386 3.9p1-8.RHEL4.20
installed
# ssh -v
OpenSSH_3.9p1, OpenSSL 0.9.7a Feb 19 2003
Thanks!
Jeff
JEFF CHAPIN
SYSTEM ADMINISTRATOR
T8DESIGN.COM | P 319.266.7574 - x267 | 877.T8IDEAS | F 888.290.4675
This e-mail, including attachments, is covered by the Electronic
Communications Privacy Act, 18 U.S.C. 2510-2521, is confidential, and
may be legally privileged. If you are not the intended recipient, you
are hereby notified that any retention, dissemination, distribution, or
copying of this communication is strictly prohibited. Please reply to
the sender that you have received the message in error, and then please
delete it. Thank you.
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
