Thank you for that very useful link.
The only outstanding concern from my list is:
ID: OSVDB 14400
The SSH server running on the remote host is affected by an information
According to its banner, the version of OpenSSH running on the remote
host is prior to 7.5. It is, therefore, affected by an information
disclosure vulnerability :
- An unspecified timing flaw exists in the CBC padding oracle
countermeasures, within the ssh and sshd functions, that allows an
unauthenticated, remote attacker to
disclose potentially sensitive information.
Note that the OpenSSH client disables CBC ciphers by default. However,
sshd offers them as lowest-preference options, which will be removed by
default in a future
release. (VulnDB 144000)
Upgrade to OpenSSH version 7.5 or later.
Can you advise of the best alternative fix as 7.5 only appears to be
available in unstable releases (buster and sid)?
In Debian world - what's the relation / difference between OSVDBs and CVEs ?
On 09/08/2017 09:36, Salvatore Bonaccorso wrote:
On Wed, Aug 09, 2017 at 09:21:42AM +0100, Adam Weremczuk wrote:
Could somebody confirm the status of the following:
in 6.0p1-4+deb7u6 ?
The security-tracker can help you verifying the status for certain
CVEs and source packages. For openssh, have a look at:
I've searched for references in
/usr/share/doc/openssh-server/changelog.Debian on a system running
6.0p1-4+deb7u6 version on wheezy 7.1 but couldn't find them.
https://packages.debian.org/wheezy/openssh-server --> "Debian Changelog"
returns 404 not found.
Why is that?
That's unfortunately because of https://bugs.debian.org/490848 (and
the related merged bugs).