Upgrade OpenSSH on server

000

• August 17, 2017 16:17

Regards. ... finally, how we can UPGRADE SSH in server with cPanel/WHM ??? I have this:[PHP] root@uu [~]# ssh -V OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013 root@uu [~]# [/PHP] This is more of 50 months back!... Nothing new untill now? Thanks

• 

  Samet Chan

  • August 17, 2017 21:19

  You mean, Upgrade for WHM version or OpenSSL version?

  0
• 

  cPanelMichael

  • August 17, 2017 21:31

  Hello, OpenSSH and OpenSSL are packages that are provided by your OS (e.g. CentOS). You can update your system packages to the latest versions offered by your OS with the "yum update" command. Additionally, you can see which security patches have been backported in the version your OS provides with a command such as this:
  rpm -q --changelog openssh | grep CVE
  Thank you.

  0
• 

  Samet Chan

  • August 17, 2017 21:31

  Hello, OpenSSH and OpenSSL are packages that are provided by your OS (e.g. CentOS). You can update your system packages to the latest versions offered by your OS with the "yum update" command. Additionally, you can see which security patches have been backported in the version your OS provides with a command such as this:
  rpm -q --changelog openssh | grep CVE
  Thank you.

  
  Can I see OpenSSL for latest version from where?

  0
• 

  cPanelMichael

  • August 18, 2017 17:35

  Can I see OpenSSL for latest version from where?

  
  Hello, You can verify which version of OpenSSL is installed with the following command:
  openssl version
  Thank you.

  0
• 

  Samet Chan

  • August 18, 2017 17:39

  Hello, You can verify which version of OpenSSL is installed with the following command:
  openssl version
  Thank you.

  
  
  OpenSSL 1.0.1e-fips 11 Feb 2013
  Do we have the latest version of OpenSSL?

  0
• 

  cPanelMichael

  • August 18, 2017 17:52

  Do we have the latest version of OpenSSL?

  
  Yes, the version you provided matches what's installed on a test system running CentOS 7.3. You can also use the below command to verify the patches that have been backported:
  rpm -q --changelog openssh | grep CVE
  Here's what the output looks like on a CentOS 7.3 system:
  ]# rpm -q --changelog openssh | grep CVE - CVE-2015-8325: privilege escalation via user's PAM environment and UseLogin=yes (#1329191) - CVE-2016-1908: possible fallback from untrusted to trusted X11 forwarding (#1298741) - CVE-2016-3115: missing sanitisation of input for X11 forwarding (#1317819) - prevents CVE-2016-0777 and CVE-2016-0778 - Security fixes released with openssh-6.9 (CVE-2015-5352) (#1247864) - only query each keyboard-interactive device once (CVE-2015-5600) (#1245971) - add new option GSSAPIEnablek5users and disable using ~/.k5users by default CVE-2014-9278 - prevent a server from skipping SSHFP lookup - CVE-2014-2653 (#1081338) - change default value of MaxStartups - CVE-2010-5107 (#908707) - CVE-2010-4755 - fixed audit log injection problem (CVE-2007-3102) - CVE-2006-5794 - properly detect failed key verify in monitor (#214641) - CVE-2006-4924 - prevent DoS on deattack detector (#207957) - CVE-2006-5051 - don't call cleanups from signal handler (#208459) - use fork+exec instead of system in scp - CVE-2006-0225 (#168167)
  Thank you.

  0
• 

  Samet Chan

  • August 18, 2017 18:05

  Yes, the version you provided matches what's installed on a test system running CentOS 7.3. You can also use the below command to verify the patches that have been backported:
  rpm -q --changelog openssh | grep CVE
  Here's what the output looks like on a CentOS 7.3 system:
  ]# rpm -q --changelog openssh | grep CVE - CVE-2015-8325: privilege escalation via user's PAM environment and UseLogin=yes (#1329191) - CVE-2016-1908: possible fallback from untrusted to trusted X11 forwarding (#1298741) - CVE-2016-3115: missing sanitisation of input for X11 forwarding (#1317819) - prevents CVE-2016-0777 and CVE-2016-0778 - Security fixes released with openssh-6.9 (CVE-2015-5352) (#1247864) - only query each keyboard-interactive device once (CVE-2015-5600) (#1245971) - add new option GSSAPIEnablek5users and disable using ~/.k5users by default CVE-2014-9278 - prevent a server from skipping SSHFP lookup - CVE-2014-2653 (#1081338) - change default value of MaxStartups - CVE-2010-5107 (#908707) - CVE-2010-4755 - fixed audit log injection problem (CVE-2007-3102) - CVE-2006-5794 - properly detect failed key verify in monitor (#214641) - CVE-2006-4924 - prevent DoS on deattack detector (#207957) - CVE-2006-5051 - don't call cleanups from signal handler (#208459) - use fork+exec instead of system in scp - CVE-2006-0225 (#168167)
  Thank you.

  
  Thank you. I checked it's same with this change logs.

  0

Please sign in to leave a comment.