Sorry Renaud for posting this here as well, but I'd like other people to comment on this as well.
Today I found out why Nessus is so sparse with reporting OpenSSH issues. It is because backport.inc has entries like this: backported_versions[i++] = "OpenSSH_3.1p1"; real_versions[j++] = "OpenSSH_3.9.99"; backported_versions[i++] = "OpenSSH_3.4p1"; real_versions[j++] = "OpenSSH_3.9.99"; backported_versions[i++] = "OpenSSH_3.5p1"; real_versions[j++] = "OpenSSH_3.9.99"; backported_versions[i++] = "OpenSSH_3.6.1p2"; real_versions[j++] = "OpenSSH_3.9.99"; backported_versions[i++] = "OpenSSH_3.7.1p2"; real_versions[j++] = "OpenSSH_3.9.99"; backported_versions[i++] = "OpenSSH_3.8p1"; real_versions[j++] = "OpenSSH_3.9.99"; backported_versions[i++] = "OpenSSH_3.9p1"; real_versions[j++] = "OpenSSH_3.9.99"; This effectively maps almost all openssh 3.x version strings to 3.9.99 unless you set report_paranoia to 2 (=Paranoid). There are similar entries in backport.inc for Apache. My argument is that backport.inc was meant to map vendor (Debian/SuSE/Red Hat) version strings to real product version strings. So when you see "SSH-2.0-OpenSSH_4.3p2 Debian-9" you know that this is Debian openssl-client package 4.3p2-9 which is really openssh 4.4p1. However, with the above examples, there is no indication whatsoever that these versions are patched or even belong to a vendor that supplies a patch. Renaud's answer is that changing backport.inc would create too many false positives, and that you can always set report_paranoia=2 if you don't like it. My reply is that now you get a lot of false negatives which is a lot worse (and not what the report_paranoia was designed for). What do you think? Please read the full report and Renaud's answers before answering: http://bugs.nessus.org/show_bug.cgi?id=1643 Sincerely, Richard van den Berg _______________________________________________ Nessus mailing list [email protected] http://mail.nessus.org/mailman/listinfo/nessus
