[svlug] rpm tips: full version including epoch, CVEs fixed via backport

Rick Moen rick at linuxmafia.com
Wed Nov 28 16:23:48 PST 2012

Some of you may have the good fortune of needing to satisfy auditors who
do what they laughingly call 'penetration tests' of the servers, in
which they check reported version strings of your network daemons and
then require you to prove that you're not vulnerable (and typically hit
you with a basically insane demand that you upgrade to something dumb --
because they've never heard of backported patches).

Auditors at an unnamed firm cited a set of 11 CVEs (Common
Vulnerabilities and Exposures reports), all concerning the Portable
OpenSSH package, that they claimed were urgent 'pen test' findings
against the firm's CentOS 5.7 servers.

Implication was that all of those were real, urgent security problems.
Investigation requires collecting data, if only to wave in the auditors'
faces and say 'See?'  First, distro release:

$ cat /etc/redhat-release
CentOS release 5.7 (final)

CPU architecture?

$ uname -m

Next, you ask the system what exact OpenSSH package version is
installed.  Tip:  Sure, 'rpm -q' returns the version number, but not the
_epoch_ modifier, which is sometimes vital.  To get that, add a
queryformat flag:

$ rpm -q --queryformat "%{EPOCH}:%{VERSION}-%{RELEASE}\n" openssh

OK, now that you have the exact installed OpenSSH package version, what
CVE patches are already built into the RPM?  Again, tip:  You can query
the RPM database about that:

$ rpm -q --changelog openssh | grep CVE
-- workaround to plaintext recovery attack against CBC ciphers CVE-2008-5161 (#502230)
-- CVE-2007-4752 - Prevent ssh(1) from using a trusted X11 cookie if creation of an 
--fixed audit log injection problem (CVE-2007-3102) (#248059)
-- fix an information leak in Kerberos password authentication (CVE-2006-5052)
-- CVE-2006-5794 - properly detect failed key verify in monitor (#214642)
-- CVE-2006-4924 - prevent DoS on deattack detector (#207957)
-- CVE-2006-5051 - don't call cleanups from signal handler (#208459)
-- use fork+exec instead of system in scp - CVE-2006-0225 (#168167)

As it turned out, that grep matched five of the 11 allegedly applicable
CVEs.  Five were ones where Red Hat had statements online about the CVEs
proving that they didn't apply to OpenSSH as packaged (e.g., doesn't
bundle S/KEY one-time key support) or were not actually vulnerabilities
at all.  One was a CVE applying only to OpenSSH packages for Apple OS

More information about the svlug mailing list