Skip to main content

Yum Update Fails

Comments

9 comments

  • cPanelMichael
    Hello, Do you have any firewall rules blocking access to that mirror? Also, check to confirm the resolvers in your /etc/resolv.conf file are valid. Thank you.
    0
  • eglwolf
    Michael there does seem to be an issue with the /etc/resolv.conf What IP's should be used there, ones from the hosting company (1&1) or ones that are installed on the server?
    0
  • cPanelMichael
    Hello, You'd generally use the ones offered by your hosting provider. Google offers public resolvers for use if you'd like try different ones: Public DNS "|" Google Developers Thank you.
    0
  • eglwolf
    Well now when I run Yum update I get: [root@localhost ~]# yum update Loaded plugins: fastestmirror, universal-hooks Loading mirror speeds from cached hostfile * EA4: 208.100.0.204 * base: mirror.tedra.es * extras: mirror.tedra.es * updates: mirror.tedra.es No packages marked for update [root@localhost ~]# I received notice that my Trustwave Scan Failed bebecausef this: Unsupported Version of OpenSSH Last month it was fine, this month it isn't. This is the output I get [root@localhost ~]# rpm -q --changelog openssh | grep CVE-2016 - CVE-2016-1908: possible fallback from untrusted to trusted X11 forwarding (#1298741) - CVE-2016-3115: missing sanitisation of input for X11 forwarding (#1317819) - prevents CVE-2016-0777 and CVE-2016-0778 [root@localhost ~]#
    0
  • 24x7server
    Hi, Earlier in this thread you gave output of yum update that gave a list of repo mirror URLs, so first please check if they are reachable to you now or not. # ping
    0
  • eglwolf
    This is what I get, nothing about OpenSSH. [root@localhost ~]# yum update Loaded plugins: fastestmirror, universal-hooks EA4 | 2.9 kB 00:00:00 base | 3.6 kB 00:00:00 extras | 3.4 kB 00:00:00 updates | 3.4 kB 00:00:00 Loading mirror speeds from cached hostfile * EA4: 208.100.0.204 * base: mirror.tedra.es * extras: mirror.tedra.es * updates: mirror.tedra.es No packages marked for update [root@localhost ~]# yum clean all Loaded plugins: fastestmirror, universal-hooks Cleaning repos: EA4 base extras updates Cleaning up everything Cleaning up list of fastest mirrors [root@localhost ~]# yum update Loaded plugins: fastestmirror, universal-hooks EA4 | 2.9 kB 00:00:00 base | 3.6 kB 00:00:00 extras | 3.4 kB 00:00:00 updates | 3.4 kB 00:00:00 (1/5): EA4/7/x86_64/primary_db | 6.0 MB 00:00:00 (2/5): extras/7/x86_64/primary_db | 139 kB 00:00:00 (3/5): base/7/x86_64/group_gz | 155 kB 00:00:00 (4/5): updates/7/x86_64/primary_db | 3.9 MB 00:00:09 (5/5): base/7/x86_64/primary_db | 5.6 MB 00:00:10 Determining fastest mirrors * EA4: 208.100.0.204 * base: mirror.airenetworks.es * extras: mirror.airenetworks.es * updates: mirror.airenetworks.es No packages marked for update
    0
  • cPanelMichael
    Hello, The YUM update looks to complete successfully. It's possible a new OpenSSH package is simply not provided by your OS. What's the specific PCI compliance failure message you receive? Thank you.
    0
  • eglwolf
    There are many: [LIST]
  • OpenSSH through 6.9 does not correctly restrict the use of keyboard-interactive devices within a single connection, CVE- 2015-5600
  • Local privilege escalation in OpenSSH before 7.4 using sandboxed process in shared memory manager (related to m_zback and m_zlib structures), CVE-2016-10012
  • OpenSSH through 7.2p2 allows potential privilege escalation by remote attackers, CVE-2015- 8325
  • Local privilege escalation in OpenSSH before 7.4 when sshd runs with root privileges (related to serverloop.c), CVE-2016- 10010
  • OpenSSH SSHFP DNS resource record look up bypass in the client, CVE-2014-2653
  • X11 forwarding data allows multiple CRLF injection in OpenSSH before 7.2p2, CVE- 2016-3115
  • OpenSSH before 6.9, when ForwardX11Trusted mode is not used lacks proper access restrictions, CVE-2015-5352
  • OpenSSH allows for the transmission of the entire buffer to remote servers before 7.1p2, CVE-2016-0777
  • 0
  • cPanelMichael
    Hello, OpenSSH is a package that's provided by your OS. You can see which security patches have been backported in the version your OS provides with a command such as this (like what you referenced earlier):
    rpm -q --changelog openssh | grep CVE
    You could respond to your PCI compliance company and show them which of those CVEs have been backported to the version of OpenSSH on your system. Thank you.
    0

Please sign in to leave a comment.