Hi, sorry if this is a very basic question, but what is the recommended way of dealing with false positives? Is there any list we can report them to check if they are really false positives or not?
For example, we get an issue because the version of OpenSSH is older than 5.7 but we have the last upgrades in all SW, the solution would be to upgrade but in this CentOS FAQ they advise not to do it: Q: CentOS uses version X of OpenSSH and the latest version is version Y. Version X contained a serious security flaw, should I upgrade? A: No. The Upstream Vendor has a policy of backporting security patches from the latest releases into the current distribution version. As long as you have the latest updates applied for your CentOS distribution you are fully patched. See here for further details of backporting security patches: source: http://wiki.centos.org/HowTos/Network/SecuringSSH#head-269bff20ef58d0317e9e222927e738872730f713 thx
_______________________________________________ Openvas-discuss mailing list [email protected] https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
