Need Help to Fix CVE-2008-1483, CVE-2008-5161, CVE-2015-5600 and CVE-2015-6565

Philip Hands phil at hands.com
Tue Mar 15 04:55:53 AEDT 2016


abhi dhiman <abhi.dhiman83 at gmail.com> writes:

> Hi All,
>
> Actually I am working with the OpenSSH version 6.2p which is vulnerable to
> above mentioned vulnerabilities.

Are you sure?

I was going to suggest that you take a look at Debian's packages, such
as the 6.0p1 package from "wheezy", but looking at the changelog, I only
see mention of CVE-2008-1483:

  http://metadata.ftp-master.debian.org/changelogs/main/o/openssh/openssh_6.0p1-4+deb7u3_changelog

Likewise for 6.6p1:

  http://metadata.ftp-master.debian.org/changelogs/main/o/openssh/openssh_6.6p1-4~bpo70+1_changelog

Note that CVE-2008-1483 was fixed in Debian's 4.7p1-5 package, in 22 Mar
2008, so I'm wondering who would have supplied a vulnerable version of
6.2p (release in 2012).

It looks to me as though it was fixed in 4.9, so I'm very doubtful
about the assertion that 6.2 is vulnerable.

As for CVE-2015-6565, this:

  https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-6565

claims that versions 6.8 and 6.9 are vulnerable, so again not 6.2.

I'll leave you to look at the other two.

Cheers, Phil.
-- 
|)|  Philip Hands  [+44 (0)20 8530 9560]  HANDS.COM Ltd.
|-|  http://www.hands.com/    http://ftp.uk.debian.org/
|(|  Hugo-Klemm-Strasse 34,   21075 Hamburg,    GERMANY
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 818 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20160314/c2487b81/attachment-0001.bin>


More information about the openssh-unix-dev mailing list