|
Vincent Danen wrote: In fact I do.On Thu Sep 25, 2003 at 04:51:58PM -0400, Albert Whale wrote:I am running a System Scan on Several machines. The interesting ones to me are Linux Mandrake 8.2 and 9.1. First of all the Issues are CVE and Scanners matching Mandrake RPMs. We need to get a process or Database together to cordinate these tools. Nessus indicates that (and the CVEs reported against OpenSSH): You are running a version of OpenSSH which is older than 3.7.1
Versions older than 3.7.1 are vulnerable to a flaw in the buffer management
functions which might allow an attacker to execute arbitrary commands on
this
host.
An exploit for this issue is rumored to exist.
Solution : Upgrade to OpenSSH 3.7.1
See also :
http://marc.theaimsgroup.com/?l=openbsd-misc&m=106375452423794&w=2
http://marc.theaimsgroup.com/?l=openbsd-misc&m=106375456923804&w=2
Risk factor : High
CVE : CAN-2003-0693, CAN-2003-0695
BID : 8628
The problem is that the Versions don't match. Looks to me like we
either need to indicate that this patched version is compatible with
the 3.7.1 release in the vulnerablitlity report, OR we need a better
Methodology for indicating which CVEs have been handled.We may not LIKE the NESSUS Scanner, but it currently is the MOST WIDELY Accepted Scanner available. Like it or not, Nessus is here to stay. I would like to have the confidence in the Mandrake Tools being the cutting Edge I always tell people that they are. If the Patches on OpenSSH, Sendmail, HTTP. I would understand if this was an isolated incident, but it's not. As it stands, those of us running Mandrake and having to run Scanners (any Scanner, it doesn't matter) to maintain a Security Policy are unable to correlate the Patched Mandrake RPMs against the 'Fixed' versions of the CVE Solutions. As I see it, we need to correlate the CVE Tables and the RPMs that Mandrake is providing as updates. If the Industry Standard is the CVE and their Solution, then we need to be able to correlate these reports to the MDKSA-yyyy-###. As it stands right now, there is no easily identifable CVE to MDKSA table/tool/rpm guide .... Even the CVE information is contained in the middle of each of the MDKSAs under the reference information. Perhaps, have a Table for the Various OSs (I am a Silver Member), would permit us to review/print out the CVE information and the MDKSA information along with the RPM Information. This may be a GOOD First step at helping to get issues (apparently I'm not alone) identified and resolved. Certainly a Table is not s significant investment in time or efforts, and you probably have all of the information readily available already. MDKSA information is useful, but the rest of us are used to tracking issues based on CVEs. Thanks for a Great Product. Hopefully we can put issues like this to rest farily quickly. -- Albert E. Whale, CISSP - Sr. Security, Network, and Systems Consultant -------------------------------------------------------------------------------- http://www.abs-comptech.com & http://www.No-JunkMail.com ABS Computer Technology, Inc. - ESM, Computer & Networking Specialists No-JunkMail.com - SPAM Stops Here. Founding Board of Directors of Pittsburgh FBI - InfraGard |
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
