PCI Compliance
We're having an issue with PCI Compliance on our server.
We've got 3 packages that need to be updated:
-EXIM
-BIND
-OPENSSH
I've got specific versions for minimum requirements that I've verified we don't meet. Our WHM version is current and I don't have any packages marked for update. So I guess the latest versions of these aren't available from cPanel?
Is there a way around this to install the updated versions so I can put this PCI stuff to bed?
-
Hello, It's possible the required security fixes are backported to the versions of those packages installed on your system. We document this at: PCI Compliance and Software Versions - cPanel Knowledge Base - cPanel Documentation Let me know if this document helps. Thank you. 0 -
Hey Michael, That might help, I'll have to dig through those a bit more closely. However, this is another issue that was mentioned that was configuration related instead of by package version. SSH: Reconfigure the service to use a unique Diffie-Hellman moduli of 2048 bits or greater. 0 -
Ok, so I went through all of them. Everything is backported except CVE-2017-15906 because Centos hasn't released the patch yet. But this was mentioned elsewhere that it only affects read-only SFTP configurations. I removed the 1024 bit moduli from /etc/ssh/moduli and restarted SSHD. Looks like everything should be good. 0 -
Hello, I'm glad to see it's now sorted. Thank you for sharing the outcome. 0
Please sign in to leave a comment.
Comments
4 comments