Via Qualys PCI Compliance I have the two following failing for my web server: Code: Bugtraq ID: 45304 CVE ID: CVE-2010-4478 Vendor Reference: OpenSSH J-PAKE Last Update: 03/01/2013 at 17:10:16 Threat: OpenSSH is a set of computer programs providing encrypted communication sessions over a computer network using the SSH protocol. OpenSSH, when J-PAKE is enabled, does not properly validate the public parameters in the J-PAKE protocol. This allows remote attackers to bypass the need for knowledge of the shared secret, and successfully authenticate, by sending crafted values in each round of the protocol. Affected Software: OpenSSH versions 5.6 and prior. Impact: Successful exploitation allows attacker to get access to the remote system. Solution: Upgrade to OpenSSH 5.7 or later, available from the OpenSSH Web site. Result: SSH-2.0-OpenSSH_5.3 And Code: Web Server Uses Plain Text Basic Authentication QID: 86763 Severity: 2 Vulnerability Severity 2 CVSS Base: 5 AV:N/AC:L/Au:N/C:P/I:N/A:N CVSS Temporal: 3.8 E:U/RL:U/RC:UC PCI Compliance Status: FAIL Info The QID adheres to the PCI requirements based on the CVSS basescore. Category: Web server Port/Service: 2077 / Web server (tcp) False Positive: N/A Bugtraq ID: - CVE ID: - Vendor Reference: - Last Update: 05/11/2009 at 15:17:19 Threat: During Web server authentication, communication can take place with the user by Clear Text User Credentials. Impact: Using Readable Clear Text can help eavesdropping and thereby compromise confidentiality. An attacker can successfully exploit this issue when the 401 error is returned when authentication is required. Also, an attacker can find out that the Basic Authentication scheme is used using the WWW-authenticate header. Solution: Please contact the vendor of the hardware/software for a possible fix for the issue. Questions are, how can I upgrade OpenSSH on CentOS 6.4 x86_64, and how do I fix "Web Server Uses Plain Text Basic Authentication" I can't figure it out, any help would be awesome!