-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 A long time ago, in a galaxy far, far way, someone said...
> > Dear Debian People, > > I got the following security audit of a machine I recently installed > Debian 2.2r3 on. This looks like output from nessus. Take everything it reports with a grain of salt. > I have run apt-get update and apt-get upgrade on it. The most serious > problem appears to be with ssh. What should I do about this, if > anything? > > Should I upgrade to a more recent version of ssh from testing? The current > version of Openssh1.is at 1.2.3-9.3 and the most recent version is 2.9. IIRC the biggest problem with OpenSSH is that the protocol isn't the greatest. There's a reason the package version is 1.2.3-9.3 - there have been a number of security-related uploads since Potato was released. It also can't tell the difference between SSH 1.2.9 and OpenSSH 1.2.9, which is why it told you about the security hole. > In any case, I thought security vulnerabilities were supposed to be > fixed in stable. They are. If you find one I think the people on the debian security team would like to know about it. > And does anyone have thoughts about the other warnings reported? For the most part nessus is crying wolf. You may want to disable the daytime service in /etc/inetd.conf, however. - -- - ---------------------------------------------------------------------- Phil Brutsche [EMAIL PROTECTED] GPG fingerprint: 9BF9 D84C 37D0 4FA7 1F2D 7E5E FD94 D264 50DE 1CFC GPG key id: 50DE1CFC GPG public key: http://tux.creighton.edu/~pbrutsch/gpg-public-key.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Made with pgp4pine iD8DBQE7QKEm/ZTSZFDeHPwRAoaoAKDgAhVdVMHzLKId9SKTgdnBxPJoWwCeKT5i 4o26P208OyPvwO+8eB5UzX4= =/4ss -----END PGP SIGNATURE-----
