fixing vulnerability by installing version not available in repo ?

Support for security such as Firewalls and securing linux
Post Reply
fuzzy4096
Posts: 12
Joined: 2020/12/14 16:29:11

fixing vulnerability by installing version not available in repo ?

Post by fuzzy4096 » 2020/12/14 16:41:20

Hi All,

so I got a vulnerability scan report for one of our servers and I fail to understand how to address ceratin findings.
For example "OpenSSH Information Disclosure Vulnerability" with the 2 CVE ID's:

CVE-2020-14145 --> https://bugzilla.redhat.com/show_bug.cgi?id=1852930
CVE-2020-15778 --> https://bugzilla.redhat.com/show_bug.cgi?id=1860487

As per my understanding there's no fix yet. But the scan report includes a line "customers are advised to upgrade to OpenSSH 8.4/8.4 P1.

I'm on version 7.4 P1. If I executed yum update openssh it returns "nothing to do".

If I look here https://ftp.fr.openbsd.org/pub/OpenBSD/ ... /portable/ I can see the 8.4 P1 version but as I understand this would requirme me to compile it. Could I please ask how to address such finding ?

Thank you in advance!

User avatar
TrevorH
Site Admin
Posts: 33191
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: fixing vulnerability by installing version not available in repo ?

Post by TrevorH » 2020/12/14 17:06:45

Red Hat have yet to release their patches for openssh to fix this vulnerability. When they do then CentOS will rebuild those and release them too. You should not update to something that is not shipped by CentOS.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

fuzzy4096
Posts: 12
Joined: 2020/12/14 16:29:11

Re: fixing vulnerability by installing version not available in repo ?

Post by fuzzy4096 » 2020/12/14 20:41:40

Thank your for your answer. Please allow me to ask further questions:

- is there any reason the current openssh version on my CentOS Linux Release 7.9.2009 is 7.4 P1 while the upstream openssl version is at 8.4 P1 ?

- when you say that the issue is not yet fixed would it be safe to assume that the fix will be backported to openssl 7.something ? meaning the vulnerbaility will be fixed but the vulnerability scanner will relay on checking against the openssl upstream version numebr not taking into consideration that the fix was backported ?

- "When they do then CentOS will rebuild those and release them too" would that be the same fix as for RH ? Meaning if I look at the RHSA for this given vulnerability would it be safe to assume that if my version of the openssh package for CentOS is equal to the one listed as containing the fix in the RHSA?
Thank you in advance!

User avatar
TrevorH
Site Admin
Posts: 33191
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: fixing vulnerability by installing version not available in repo ?

Post by TrevorH » 2020/12/14 20:49:41

https://access.redhat.com/security/updates/backporting

CentOS package names and versions are inherited from RHEL unless they have .centos. in their names or they are modules in el8 (which get a random number added to their version number string so are not complete identical to the RHEL one).
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: fixing vulnerability by installing version not available in repo ?

Post by jlehtone » 2020/12/14 21:20:13

https://access.redhat.com/security/cve/cve-2020-14145
https://access.redhat.com/security/cve/cve-2020-15778
State is "Red Hat Enterprise Linux 7 : Will not fix" for both of them.

Overall, they suggest alternatives for scp:
https://access.redhat.com/articles/5284081
fuzzy4096 wrote:
2020/12/14 20:41:40
... the vulnerability scanner will relay on checking against ... upstream version numebr not taking into consideration that the fix was backported ...
That seems to be a common case.

fuzzy4096
Posts: 12
Joined: 2020/12/14 16:29:11

Re: fixing vulnerability by installing version not available in repo ?

Post by fuzzy4096 » 2020/12/15 11:17:16

Yeah, and "findings" like that one just make me wonder if that even makes any sense, DLL hijacking on Linux ?
"Atlassian Jira is a proprietary issue tracking product, developed by Atlassian. It provides bug tracking, issue tracking, and project management functions.

CVE-2019-20419: DLL hijacking in Jira Server and JSD via Tomcat.

Affected Versions:
Atlassian Jira Server and Data Center version prior to 8.5.5
Atlassian Jira Server and Data Center version from 8.6.0 prior to 8.7.2

QID Detection Logic:(Unauthenticated)
It checks for vulnerable version of Atlassian Jira."

Post Reply