Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 6 subscribers
  • Views 5072 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

OpenSSH version upgrade

Max Zuniga

Did Sophos already release a fix for these CVEs?

 

CVE-2015-5600, CVE-2015-6563, CVE-2015-6564

CVE-2016-10009, CVE-2016-10010, CVE-2016-10011, CVE-2016-10012, CVE-2016-8858.

 

These are considered vulnerability and what was advised to us is to perform patching or upgrade for OpenSSH. However, only Sophos can do that.

 

Feedbacks are highly appreciated.

 



This thread was automatically locked due to age.
  • 0

    Hi Max and welcome to the UTM Community!

    2015 and 2016 vulnerabilities? I think you can assume that they were.  Even if the version of OpenSSH in use in the UTM is older, the developers prefer to patch existing code in use instead of testing new versions and hardening them.

    That said, if you see evidence that one of those CVEs seems not to have been patched, please share that here.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    As far as i can tell, most of the time, some of those scans only check the used version and do a cut and assume, all of those "open" CVE are still affected.

    Instead, a valid test would be to try to use those attacks and see, if UTM is still affected. 

    __________________________________________________________________________________________________________________

  • 0

    The CVE's fixed are usually listed in the release notes, so these could be searched?

  • 0 in reply to Harro Verton

    I just checked that Harro, and it looks like most of those CVEs were from before the Up2Date blog was started.  I looked for 2016-8858 and didn't find it either.  Then I searched in general for it and found that OpenSSH doesn't consider the CVE correct and did nothing about it.  As MBP said, most of those scanners are blunt knives, not honed, surgical steel. ;-)

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML