(CVE-2016-6515) - An unspecified flaw exists in the CBC padding oracle countermeasures that allows an unauthenticated, remote attacker to conduct a timing attack. An unauthenticated, remote attacker can exploit this, via a long string, to consume excessive CPU resources, resulting in a denial of service condition. (CVE-2016-6210) - A denial of service vulnerability exists in the auth_password() function in auth-passwd.c due to a failure to limit password lengths for password authentication. This may allow a remote attacker to conduct a timing attack and enumerate valid usernames. (CVE-2015-8325) - A flaw exists that is due to the program returning shorter response times for authentication requests with overly long passwords for invalid users than for valid users. ![]() pam_environment files from home directories. It is, therefore, affected by multiple vulnerabilities : - A local privilege escalation when the UseLogin feature is enabled and PAM is configured to read. Description According to its banner, the version of OpenSSH running on the remote host is prior to 7.3. Stick with the CentOS version, run `yum update` regularly and get security updates to the installed copy automatically.Synopsis The SSH server running on the remote host is affected by multiple vulnerabilities. So you'd have to subscribe to the openssh mailing list to get notification that a newer version was out and then repackage it and rebuild it and reinstall it.Īll far too much work. Or you have to package it yourself and install it as an upgrade, in which case, next time there is a security vulnerability in it and Red Hat fix it then you would not get the updated version of 7.4p1 as your installed one would be a higher version. For a start, where would you get it from? No-one supplies a packaged version of this so you would have to build it yourself and if you do that from source and install it then it will overwrite the one we supply and next time there is an upgrade to ours, it will back out your self-built version and maybe render it non-operational (which I guess is 'secure'!). ![]() ![]() avoid segfault in Kerberos cache cleanup (#1999263)Īnd, no, upgrading to openssh 8.x is not practical or recommended. Please do let us know for any further information.Ĭode: Select all * Thu Dmitry Belyavskiy - 7.4p1-22 + 0.10.3-2 Here is an article from tenable regarding this : ![]() To CentOS 7 then please do let us know the best recommended solution to address this issue. Please correct me if I am wrong.Ĭould you please confirm if this is a false-positive and won't applicable for CentOS 7 ? If this is not false-positive and applicable I am sure this may leads to many issues due to incompatibility. So, I don't think this is a best practice method, I mean using openssh package with version 8.x on CentOS version 7 , Tenable is suggesting us to upgrade openssh package version to 8.2 or higher on these machines.īut, I am sure Red Hat/CentOS 7 started shipping this openssh version 8.x from RHEL/CentOS 8 only. Recent scan(by tenable) on the servers found a vulnerability with Current openssh version.Ĭurrent version of openssh package is 7.4p1, please find the below information: In our infra we're having the servers installed with CentOS 7.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |