PCI compliance for OpenSSH

JamesAB

• November 21, 2014 09:20

Our server failed a PCI test with OpenSSH problems. Do I have any other choice than to manually update OpenSSH? Here's the installed version:
rpm -qa | grep openssh openssh-clients-5.3p1-104.el6_6.1.x86_64 openssh-server-5.3p1-104.el6_6.1.x86_64 openssh-5.3p1-104.el6_6.1.x86_64
Thanks, James

• 

  quizknows

  • November 21, 2014 18:18

  James, Most likely your version is patched via backports. On CentOS systems, typically the main version number looks a bit old but if you check the change log it is actually up to date. Try this:
  rpm -q --changelog openssh-server > changelog.txt
  Search changelog.txt for the CVE numbers your PCI vendor is complaining about. I'd bet you $5 and a beer you're all good; just provide your PCI vendor the change log and RPM names. I have the same RPM versions as you do, and the most recent patch to openssh-server was about 2 weeks ago: * Thu Nov 06 2014 Petr Lautrbach 5.3p1-104.1 - Fix ControlPersist option with ProxyCommand (#1160487)

  0
• 

  cPanelMichael

  • November 26, 2014 14:17

  Hello :) Yes, as mentioned in the previous post, it's likely reporting false positives based on the version number in cases where patches have been backported. Thank you.

  0

Please sign in to leave a comment.