OpenSSH Wildcards on AcceptEnv Vulnerability

My network security people say they are getting an OpenSSH Wildcards on AcceptEnv Vulnerability when using Trustwave to scan IP address open to the public. I have done an Update and Upgrade successfully, but the vulnerbility is still being detected.

The event log shows the following pertinent information:

Event Log: Server version: SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u2

I believe this is a Wheezy Debian.

According to online info, Debian claims to have fixed this problem in the above version.

Any ideas?
Bill

 

If it’s wheezy then have a look in
/usr/share/doc/openssh-server/changelog.Debian.gz - you should find:

openssh (1:6.0p1-4+deb7u1) stable-security; urgency=high

* CVE-2014-2532: Disallow invalid characters in environment variable names
to prevent bypassing AcceptEnv wildcard restrictions.
* CVE-2014-2653: Attempt SSHFP lookup even if server presents a
certificate (closes: #742513).

-- Colin Watson <> Thu, 03 Apr 2014 00:05:17 +0100

 

So I am very new to Linux. I am going to assume I use the "less" command to read the changelog.depbian.gz file. Then use zgrep -i CVE-2014-2532, if I find a CVE, to see if it has a fix installed?
Bill

 

You can do that if you're paranoid (not a bad thing nowadays), but just
looking at the version number tells you that you indeed have a fixed
one.

 

I use zrep -i and I found no reference to a fix of cve-2014-2532. It just brought back the description of cve-2014-2532.

When I did a zrep -i cve, I received several CVE descriptions and the following line: Fill in CVE idnetifier for ssh-vulnerbility fixed in 1:4.7p1-10. I don't know if this has anything to do with cve-2014-2532 nor whether cve-2014-2532 is fixed or not.

Opinions welcome!
Bill White