I just ran a PCI vulnerability scan on my system and it came up with the following CVEs: CVE-2006-5051, CVE-2006-5052 (both of these are related to OpenSSH versions prior to 4.4).
I'm pretty sure that, being 4 years old, OpenSSH has been patched. My ssh version:
# ssh -v
OpenSSH_4.3p2, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
and RPMs installed:
# rpm -qa | grep -i ssh
openssh-clients-4.3p2-41.el5
openssh-4.3p2-41.el5
openssh-server-4.3p2-41.el5
My question: how can I tell if I'm *really* vulnerable or not? I can look at the CVE database which lists packages and their signatures, but I don't know of a way to get a signature from a package that's already installed. Is there a way? Or is there a more reliable way to tell if I'm patched?
Scott
I'm pretty sure that, being 4 years old, OpenSSH has been patched. My ssh version:
# ssh -v
OpenSSH_4.3p2, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
and RPMs installed:
# rpm -qa | grep -i ssh
openssh-clients-4.3p2-41.el5
openssh-4.3p2-41.el5
openssh-server-4.3p2-41.el5
My question: how can I tell if I'm *really* vulnerable or not? I can look at the CVE database which lists packages and their signatures, but I don't know of a way to get a signature from a package that's already installed. Is there a way? Or is there a more reliable way to tell if I'm patched?
Scott