>>106134342
I mean, in practice is pretty much a non issue. You can setup your servers with Debian and be golden. But at least on Enterprise, that is a no no. Because audits are a thing and once it detects something is not fixed, it will rather tell you to put that server down than risk it. I should have stated that Debian was not good for enterprise server, not all servers.
And as long as you do make your support, everything should be fine.
For openssl and openssh, keep track of what ciphers are allowed.
Last issue I had with a client's cibersecurity team was about them detecting a version different that didn't support an specific CVE (CVE-2023-48795), that one in particular was interesting because at the time of detection, the package openssh_9.2 had no fix for the CVE. However, a week later, a patch was released, openssh_9.2p1-2+deb12u2 and the CVE was fixed, but the audit detected a vulnerability, turns out they needed to detect openssh version 9.6 at least. But they had whatever red hat version was at the moment, so I don't know what tool they were using but clearly it was more about detection version for Canonical and RHEL rather than reviewing package outputs, because clearly the flagged ciphers were gone.
One tool I use for audits is openscap, it is great for finding certain vulnerabilities, but don't take them all as such, cibersecurity dudes like to complain how everything is horrible and blame it on everyone all the time.
https://www.open-scap.org/
And while Enterprise rushes and do invest research on finding the vulnerabilities in the first place, they also sell some bullshit like RHEL post-quantum algorithms, which I'm not saying don't work, but come on, cybersecurity might want to push it as an standard soon.
https://openquantumsafe.org/about/#overview
