Adam Weremczuk <[email protected]> writes: > Does their flagging mean they don't know how Debian security patching > works?
They probably just don't care. Most of those firms do literally nothing other than running Nessus on your server remotely and then giving you the results formatted to make a manager happy (and charging you a ton of money for doing so). Nessus determines vulnerabilities primarily by asking the server for what version of sshd it's running, and is not at all intelligent about the patching policies of local distributions. Filtering out false positives from Nessus is nearly a full time job (about 95% of Nessus results are wrong). Most security audit firms don't bother; people seem happy to pay them anyway, so why bother do any extra work? Anyway, the two vulnerabilities that you're trying to deal with are CVE-2016-3115 (X11 CRLF injection) and CVE-2014-2532 (AcceptEnv wildcards). CVE-2014-2532 is fixed in wheezy already, via a security update (fixed as of 1:6.0p1-4+deb7u1). CVE-2016-3115 does not appear to be fixed in wheezy (although if I understand the bug correctly, it only applies to forced command configurations in authorized_keys which also allow X11 forwarding, with a fairly simple workaround of just adding no-X11-forwarding to the relevant authorized_keys lines). -- Russ Allbery ([email protected]) <http://www.eyrie.org/~eagle/>
