-
Notifications
You must be signed in to change notification settings - Fork 159
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Handle CVEs fixed by Debian security updates #177
Comments
I have had a very brief look into the ssh-audit code. Adding exclusions or other notifications for patched versions of SSH appears to be a large undertaking. The ssh-audit code currently checks the major and minor versions of the SSH server and client and then does a lookup to an internal list of known vulnerabilities based off the major and minor version found. At this time it does not appear that ssh-audit makes any attempt to validate the patch number. As Debian and Ubuntu ( and probably most other distros with LTS versions ) tend to back port patches into older versions of SSH this appears to raise the question; how would you check for all patch versions from all different OS distributors ? For example Should the onus be on the server administrator to ensure they have installed latest patches from their vendor? Perhaps an alternative might be the discussion and development of a way to exclude or whitelist CVE's for a specific host? Edit : Appears to be related to issue : #89 |
FYI, I am considering removing CVE reporting from the tool. In #240, I described the rationale, as well as set up a voting process to hear from the community on whether or not it should remain. |
One of our old servers should normally not report this CVE since its fixed by
1:7.4p1-10+deb9u4
, a Debian security fixSo all versions above
1:7.4p1-10+deb9u4
are safe, example:1:7.4p1-10+deb9u5
1:7.4p1-10+deb9u6
etc..Ref: https://security-tracker.debian.org/tracker/CVE-2018-15473
The text was updated successfully, but these errors were encountered: