The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

PCI compliance for OpenSSH

Discussion in 'Security' started by JamesAB, Nov 21, 2014.

  1. JamesAB

    JamesAB Active Member

    Joined:
    Apr 12, 2003
    Messages:
    44
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    New Hampshire
    Our server failed a PCI test with OpenSSH problems.
    Do I have any other choice than to manually update OpenSSH?

    Here's the installed version:
    Code:
    rpm -qa | grep openssh
    openssh-clients-5.3p1-104.el6_6.1.x86_64
    openssh-server-5.3p1-104.el6_6.1.x86_64
    openssh-5.3p1-104.el6_6.1.x86_64
    
    Thanks,
    James
     
  2. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    James,

    Most likely your version is patched via backports. On CentOS systems, typically the main version number looks a bit old but if you check the change log it is actually up to date. Try this:

    Code:
    rpm -q --changelog openssh-server > changelog.txt
    Search changelog.txt for the CVE numbers your PCI vendor is complaining about. I'd bet you $5 and a beer you're all good; just provide your PCI vendor the change log and RPM names. I have the same RPM versions as you do, and the most recent patch to openssh-server was about 2 weeks ago:

    * Thu Nov 06 2014 Petr Lautrbach <plautrba@redhat.com> 5.3p1-104.1
    - Fix ControlPersist option with ProxyCommand (#1160487)
     
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    653
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    Yes, as mentioned in the previous post, it's likely reporting false positives based on the version number in cases where patches have been backported.

    Thank you.
     
Loading...

Share This Page