Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 5 subscribers
  • Views 4733 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

OpenSSH version upgrade

Max Zuniga

Did Sophos already release a fix for these CVEs?

 

CVE-2015-5600, CVE-2015-6563, CVE-2015-6564

CVE-2016-10009, CVE-2016-10010, CVE-2016-10011, CVE-2016-10012, CVE-2016-8858.

 

These are considered vulnerability and what was advised to us is to perform patching or upgrade for OpenSSH. However, only Sophos can do that.

 

Feedbacks are highly appreciated.

 



This thread was automatically locked due to age.
Parents
  • 0

    Hi Max and welcome to the UTM Community!

    2015 and 2016 vulnerabilities? I think you can assume that they were.  Even if the version of OpenSSH in use in the UTM is older, the developers prefer to patch existing code in use instead of testing new versions and hardening them.

    That said, if you see evidence that one of those CVEs seems not to have been patched, please share that here.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 0

    Hi Max and welcome to the UTM Community!

    2015 and 2016 vulnerabilities? I think you can assume that they were.  Even if the version of OpenSSH in use in the UTM is older, the developers prefer to patch existing code in use instead of testing new versions and hardening them.

    That said, if you see evidence that one of those CVEs seems not to have been patched, please share that here.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
  • 0 in reply to BAlfson

    As far as i can tell, most of the time, some of those scans only check the used version and do a cut and assume, all of those "open" CVE are still affected.

    Instead, a valid test would be to try to use those attacks and see, if UTM is still affected. 

    __________________________________________________________________________________________________________________

Unfiltered HTML