OracleVM 3.2 : openssh (OVMSA-2016-0030)

This script is Copyright (C) 2016-2017 Tenable Network Security, Inc.


Synopsis :

The remote OracleVM host is missing one or more security updates.

Description :

The remote OracleVM system is missing necessary patches to address
critical security updates :

- change default value of MaxStartups - CVE-2010-5107
(John Haxby)

- improve RNG seeding from /dev/random (#681291,#708056)

- make ssh(1)'s ConnectTimeout option apply to both the
TCP connection and SSH banner exchange (#750725)

- use IPV6_V6ONLY for sshd inet6 listening socket
(#640857)

- add LANGUAGE to the sent/accepted evvironment (#710229)

- ssh-copy-id copies now id_rsa.pub by default (#731930)

- repairs man pages (#731925)

- set cloexec on accept socket (#642935)

- add umask to sftp (#720598)

- enable lastolg for big uids (#706315)

- enable selinux domain transition to passwd_t (#689406)

- enable pubkey auth in the fips mode (#674747)

- improve resseding the prng from /dev/urandom or
/dev/random respectively (#681291)

- periodically ressed the prng from /dev/urandom or
/dev/random respectively (#681291)

- change cipher preferences (#661716)

- change cipher preferences (#661716)

- enable to run sshd as non root user (#661669)

- reenable rekeying (#659242)

- add nss keys to key audit patch (#632402)

- key audit patch (#632402)

- supply forced command documentation (#532559)

- compile in the OpenSSL engine support

- record lastlog with big uid (#616396)

- add OpenSSL engine support (#594815)

- backport forced command directive (#532559)

- stderr does not more disturb sftp (#576765)

See also :

http://www.nessus.org/u?41282881

Solution :

Update the affected openssh / openssh-clients / openssh-server
packages.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVSS Temporal Score : 4.3
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : false

Family: OracleVM Local Security Checks

Nessus Plugin ID: 89020 ()

Bugtraq ID: 58162

CVE ID: CVE-2010-5107

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now