The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

PCI Compliancy - openssl & openssh

Discussion in 'General Discussion' started by Belaird, Feb 11, 2008.

  1. Belaird

    Belaird Well-Known Member

    Joined:
    Jun 24, 2004
    Messages:
    59
    Likes Received:
    0
    Trophy Points:
    6
    I am trying to get past the PCI Compliancy checks that Controlscan does and two issues are flagged, openssl and openssh. Both are flagged as being version levels to old and insecure openssl 0.9.7a should be 0.9.7l, and openssh 3.9 should be 4.7.
    What I'd like to know is are the current version of openssl and openssh with Centos 4.6 already patched but nobody has changed the release number, and where can I find information on this to back my case to stating such.

    If they are not patched and I need to install a more current version of openssl and openssh, how and can I do this with my current cpanel and apach 2.2 ?
     
  2. cPanelBilly

    cPanelBilly Guest

    These are automatically updated by your system (unless you turned that off in the update settings). Since you are using CentOS which is a derivative of RHEL and RH uses back patches rather than releasing the new binaries most likely you are already patched.
     
  3. Belaird

    Belaird Well-Known Member

    Joined:
    Jun 24, 2004
    Messages:
    59
    Likes Received:
    0
    Trophy Points:
    6
    Is there a way I can tell this, and use that info to answer the audit?
     
  4. rgyure

    rgyure Member

    Joined:
    Jan 27, 2005
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    1
    This might be a little late, but here is the command in case anyone needs it.

    This will show what was applied to the openssl package. Just show proof that the patch was applied and they should OK the update.

    Ryan
     
  5. BianchiDude

    BianchiDude Well-Known Member
    PartnerNOC

    Joined:
    Jul 2, 2005
    Messages:
    619
    Likes Received:
    0
    Trophy Points:
    16
    Thanks! Handy command.
     
  6. Tina

    Tina Well-Known Member

    Joined:
    Jan 27, 2003
    Messages:
    63
    Likes Received:
    0
    Trophy Points:
    6
    how do you update openssl?


    For the same reasons, PCI Compliance, I would need to have OpenSSL to a more recent version. It's still not clear to me how I can do that.

    Specifically which part of the system is responsible for keeping openssh current and is this something that I can do or do we just have to wait till it's done? I ask this because I upgraded just about everything I could find to upgrade (at the push of a button :) ) and when I look at openssh.org it talks about compiling and that's where I have to stop and ask for help.

    Should I ask my colo to upgrade my os?


    Thank you,

    Tina


    Apache/2.2.8 (Unix) mod_ssl/2.2.8 OpenSSL/0.9.7a
    WHM 11.20.0 cPanel 11.22.3-C23899
    CENTOS Enterprise 4.5 i686 on xen - WHM X v3.1.0
     
  7. skittles

    skittles Registered

    Joined:
    Jan 21, 2006
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    Here is a page with instructions on updating both openSSL and openSSH. Although it is from 2005, I simply changed the version numbers to the most current and I was able to update both on my server.

    I've tested the eCommerce sites on the server and everything appears to be working correctly.

    As with all things, use at your own risk.

    Here is the url: http://www.eth0.us/sshd

    -Skittles
     
  8. StevenC

    StevenC Well-Known Member

    Joined:
    Jan 1, 2004
    Messages:
    254
    Likes Received:
    0
    Trophy Points:
    16
    Depending on your scan vendor. You can explain to them that you are using backported patches, and provide them proof (which you can as long as your os is updated). They will commonly shake off the Alert.

    At any rate, you can compile openssh/openssl from scratch and avoid the whole issue all together.
     
Loading...

Share This Page