Hi,
We are are using multiple WS-26-400-IDC switches (firmware version 1.5.6) to monitor some PoE cameras at some of our special buildings and we are getting notified by our vulnerability management software (Tenable) that our version of Dropbear SSL Server is no longer supported and is at risk of multiple vulnerabilities with a VPR rating of 6.7/10 (we are running version 0.53 and the supported version is 2016.74). Is there going to be a firmware update that will fix these vulnerabilities in the future?
Unsupported Dropbear Version
- peter.fowler
- Member
- Posts: 13
- Joined: Thu Sep 03, 2020 6:22 pm
- Has thanked: 0 time
- Been thanked: 1 time
-
Stephen - Employee
- Posts: 1033
- Joined: Sun Dec 24, 2017 8:56 pm
- Has thanked: 85 times
- Been thanked: 181 times
Re: Unsupported Dropbear Version
For anyone interested, we have now upgraded to Dropbear 2020.81 on v.1.5.9rcX, and you can download it here
- peter.fowler
- Member
- Posts: 13
- Joined: Thu Sep 03, 2020 6:22 pm
- Has thanked: 0 time
- Been thanked: 1 time
Re: Unsupported Dropbear Version
Hi Stephen, thanks for the update regarding 1.5.9 RC1 but is there a specific timeframe for when this version will go into the stable channel as I am hesitant to upgrade our switches to an RC build? Also is the RC build the preferred option though for future updates?
-
Stephen - Employee
- Posts: 1033
- Joined: Sun Dec 24, 2017 8:56 pm
- Has thanked: 85 times
- Been thanked: 181 times
Re: Unsupported Dropbear Version
Hello peter.fowler it will eventually be integrated into a 1.5.9 release, if you wish to wait to update until then that is OK but as a rule typically RC release's from us are fine in production unless otherwise specified in the release notes.
- peter.fowler
- Member
- Posts: 13
- Joined: Thu Sep 03, 2020 6:22 pm
- Has thanked: 0 time
- Been thanked: 1 time
Re: Unsupported Dropbear Version
Thanks for the update and sorry for not replying sooner but do you have an approximate ETA for these features as part of stabilizing 1.5.9 to production. My manager and our security manager are keen to know what the next steps will be including a roadmap for this (FYI, all our WS-26-400-IDC switches are now on the 1.5.8 production release build)
- peter.fowler
- Member
- Posts: 13
- Joined: Thu Sep 03, 2020 6:22 pm
- Has thanked: 0 time
- Been thanked: 1 time
Re: Unsupported Dropbear Version
I can confirm that updating to version 1.5.11 (which is now in production) fixes the Dropbear version vulnerability in Tenable.io (Nessus)
-
sirhc - Employee
- Posts: 7415
- Joined: Tue Apr 08, 2014 3:48 pm
- Location: Lancaster, PA
- Has thanked: 1608 times
- Been thanked: 1325 times
Re: Unsupported Dropbear Version
peter.fowler wrote:I can confirm that updating to version 1.5.11 (which is now in production) fixes the Dropbear version vulnerability in Tenable.io (Nessus)
Yes, when Eric updated openssl to a version that supported TLS 1.2 that would effect SSH / EMAIL / HTTPS as I think they all share that package.
Support is handled on the Forums not in Emails and PMs.
Before you ask a question use the Search function to see it has been answered before.
To do an Advanced Search click the magnifying glass in the Search Box.
To upload pictures click the Upload attachment link below the BLUE SUBMIT BUTTON.
Before you ask a question use the Search function to see it has been answered before.
To do an Advanced Search click the magnifying glass in the Search Box.
To upload pictures click the Upload attachment link below the BLUE SUBMIT BUTTON.
8 posts
Page 1 of 1
Who is online
Users browsing this forum: Google [Bot], mayheart and 61 guests