I also got OpenSSH red flag (ID 22466) for Debian Etch, OpenSSH 1:4.3p2-9. The systems have been clean until most recent scan (10/18).
We run many Debian Etch servers, and a lot of red flags. Are they also false positives? I read some changelogs of Debian OpenSSH server package, looks at at least the 2005-5051 is fixed in 1:4.3p2-4. Xueshan Quoting Jeff Chapin <[EMAIL PROTECTED]>: > Hello, > > > > CentOS release 4.5 (Final), with CPanel here. Using a nessus scan with > ssh credentials, I am getting the following as a critical error: > > According to its banner, the version of OpenSSH installed on the > remote host contains a race condition that may allow an > unauthenticated remote attacker to crash the service or, on portable > OpenSSH, possibly execute code on the affected host. In addition, > another flaw exists that may allow an attacker to determine the > validity of usernames on some platforms. > > > > However, from the linked CVE, and the linked Redhat Errata > (RHSA-2006:0698-8) it appears that this is a corrected issue with a > backported patch. I am not sure that the version I have is NOT > vulnerable, or that I am reading this documentation correctly. > > > > Here is some additional info that may be relevant: > > > > Installed Packages > > openssh.i386 3.9p1-8.RHEL4.20 > installed > > > > # ssh -v > > OpenSSH_3.9p1, OpenSSL 0.9.7a Feb 19 2003 > > > > Thanks! > > > > Jeff > > > > JEFF CHAPIN > SYSTEM ADMINISTRATOR > > T8DESIGN.COM | P 319.266.7574 - x267 | 877.T8IDEAS | F 888.290.4675 > > > > > This e-mail, including attachments, is covered by the Electronic > Communications Privacy Act, 18 U.S.C. 2510-2521, is confidential, and > may be legally privileged. If you are not the intended recipient, you > are hereby notified that any retention, dissemination, distribution, or > copying of this communication is strictly prohibited. Please reply to > the sender that you have received the message in error, and then please > delete it. Thank you. > > _______________________________________________ Nessus mailing list [email protected] http://mail.nessus.org/mailman/listinfo/nessus
