5

I am running CentOS 5.7 and need to upgrade OpenSSH to the latest stable version (PCI compliance issues). However, the most recent version available via the CentOS yum repository is 4.3p2. How can I update to the latest stable version using yum? Is there a different repository I should setup?

Stefan Lasiewski
  • 23,667
  • 41
  • 132
  • 186
smusumeche
  • 643
  • 4
  • 8
  • 19

5 Answers5

9

As far as security fixes are concerned, you're all set; your compliance scanner is the one that's wrong.

A lot of those scanners do their vulnerability detection via a check of the version string (in this case, a check of the string that OpenSSH sends to connecting clients including its version), which often leads to false positives when those scanners assume "issue X was fixed in OpenSSH version 5.whatever). Try changing an Apache server to ServerTokens Major and watch the scanner light up with a bunch of 2.0 vulnerabilities, regardless of what version you're actually on.

Figure out exactly what vulnerabilities the scan thinks you have, find them in the RPM's changelog, and send your scan vendor the version that you're on as proof that the scan's detection is a false positive. And this link, for good measure.

Shane Madden
  • 114,520
  • 13
  • 181
  • 251
  • View the changelog for the rpm and grep for CVE: # rpm -q --changelog openssl | grep CVE - fix CVE-2009-1386 CVE-2009-1387 (DTLS DoS problems) - fix CVE-2009-1377 CVE-2009-1378 CVE-2009-1379 - fix CVE-2009-0590 - reject incorrectly encoded ASN.1 strings (#492304) We don't see CVE-2009-3555 so this rpm is potentially vulnerable and should be replaced. Obtain the recommended replacement for openssl from your vendor, apply Repeat this for all the packages the vendor recommends in the response and you are done. – gm3dmo Dec 19 '11 at 21:13
6

Keep in mind that RedHat Backports all security fixes into it's stable version of SSH.

So, running a yum update openssh will update you to the latest, stable, patched version for your Operating System. This should be good enough for any sane PCI compliance requirement, but it might require education on part of the PCI compliance officer.

Also see this related questions for some useful tips: CentOS PCI Compliance assessment

Community
  • 1
Stefan Lasiewski
  • 23,667
  • 41
  • 132
  • 186
2

Every PCI scanning company has different methods, but typically you can contest the result as a False Positive.

Provide them with your current OS version, SSH version and when it was installed.

I use 

rpm -qa --last|grep "name"

Where name is the name of the rpms for the service in which you are interested. In this case "ssh" will do.

Send them this data. This is usually sufficient in most cases.

jeffatrackaid
  • 4,142
  • 19
  • 22
0

OpenSSH 4.3p2 is the only version of OpenSSH officially supported by CentOS 4.7.

Of course you could build a package for a more recent version of OpenSSH yourself but I doubt that this would solve your "PCI compliance issues".

What issues do you have exactly with OpenSSH 4.3p2?

joschi
  • 21,387
  • 3
  • 47
  • 50
-1

To have PCI compliance I had to recently upgrade openssh on centos7(openssh6.6) to openssh7.5 (latest version). I referred this blog to upgrade. Hope this helps for centos7 upgrade for openssh.

leela
  • 99
  • 1