Ubuntu
openssh package

  1. Trusty (14.04)
  2. Bug #1794629
  3. Comment #22

Comment 22 for bug 1794629

Revision history for this message
Seth Arnold (seth-arnold) wrote :

Root, aha! We've finally uncovered the root of the problem. (Sorry. I can't help myself. It's Friday afternoon.)

While Qualys' TLS scanner is a top-notch tool that I use regularly, their "security scanner" is sadly not. They have built a tool that checks version numbers. This is not ideal, because the clear majority of Linux systems do not do wholesale version updates but instead backport specific security fixes:

https://wiki.ubuntu.com/SecurityTeam/FAQ#Versions
https://www.debian.org/security/faq#version
https://wiki.centos.org/FAQ/General#head-3dad8cb98ac535185e58e882a23ca4b096cbff2f
https://access.redhat.com/security/updates/backporting

These sorts of security scanners would be more useful if everyone built their entire systems from scratch.

Anyway, please ask Qualys to consider consuming our OVAL data:
https://people.canonical.com/~ubuntu-security/oval/
or parsing our database directly:
https://git.launchpad.net/ubuntu-cve-tracker

Both of these approaches would give better results. (There are tradeoffs involved. They are welcome to contact us at <email address hidden> if they would like to discuss the tradeoffs.)

Thanks