ssh-audit icon indicating copy to clipboard operation
ssh-audit copied to clipboard

Published 20 hours ago verified publisher icon jtesta

CVE-2018-15473

Open dirtycache opened this issue 4 years ago • 2 comments

Scanning Ubuntu 18.04 LTS. Per Ubuntu security notification this is fixed as of package 1:7.6p1-4ubuntu0.1 but it is still flagged in the output of a systems updated to 1:7.6p1-4ubuntu0.3

dirtycache avatar Jan 04 '21 15:01 dirtycache

On Mon, 2021-01-04 at 07:36 -0800, Adam Korab wrote:

Scanning Ubuntu 18.04 LTS. Per Ubuntu security notification this is fixed as of package 1:7.6p1-4ubuntu0.1 but it is still flagged in the output of a systems updated to 1:7.6p1-4ubuntu0.3

Thanks for reporting this. It can be fixed by extending the header version parsing logic to understand the extra version information that is given during the connection setup (i.e.: "Ubuntu-4ubuntu0.1" vs. "Ubuntu-4ubuntu0.3").

I could use help from the community in writing this patch.

-- Joseph S. Testa II Founder & Principal Security Consultant Positron Security

jtesta avatar Jan 04 '21 15:01 jtesta

I'll take a stab at it, but If wanted to first call it out and verify if it was indeed a false positive, or if the openssh-server package was just still broken.

The latter scenario has been known to happen from time to time. :)

Thanks for being so responsive.

dirtycache avatar Jan 04 '21 16:01 dirtycache