On 12/04/2019 5:35 pm, Timothy Sipples wrote:
Paul Jodlowski wrote:
Currently OpenSSH is at 6.4p1, I have been asked by our
Network Security Team to upgrade to OpenSSH 7.4.
That's an "amusing" recommendation from your Network Security Team. Unless
security patches have been backported and applied to a particular
distribution of OpenSSH, OpenSSH 7.4p1 has at least three known security
vulnerabilities that I see: CVE-2018-15919, CVE-2018-15473, and
CVE-2017-15906.
So is your Network Security Team running around and getting lots of other
systems "updated" to an insecure release of OpenSSH (7.4), if those other
systems don't have backported security patches? Probably. Ooops.
As far as I can see those CVEs also apply to 6.4p1. How would you go
about verifying that they had been fixed in z/OS ssh? Suggesting that
their existence means that 7.4 is insecure (more so than 6.4p1) seems
very misleading to me.
Looking at the CVE list, I can guess that the security team might be
interested in the more severe CVEs applying to ssh before 7.4, e.g.
CVE-2016-10010, CVE-2016-10012. How would you verify that the fixes are
applied to z/OS 6.4p1? (Reading between the lines the changes sound
significant enough to make backporting unlikely.)
Andrew Rowley
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
