PCI compliance for OpenSSH

[JamesAB]

Our server failed a PCI test with OpenSSH problems.
Do I have any other choice than to manually update OpenSSH?

Here's the installed version:

rpm -qa | grep openssh
openssh-clients-5.3p1-104.el6_6.1.x86_64
openssh-server-5.3p1-104.el6_6.1.x86_64
openssh-5.3p1-104.el6_6.1.x86_64

Thanks,
James

 

[quizknows]

James,

Most likely your version is patched via backports. On CentOS systems, typically the main version number looks a bit old but if you check the change log it is actually up to date. Try this:

rpm -q --changelog openssh-server > changelog.txt

Search changelog.txt for the CVE numbers your PCI vendor is complaining about. I'd bet you $5 and a beer you're all good; just provide your PCI vendor the change log and RPM names. I have the same RPM versions as you do, and the most recent patch to openssh-server was about 2 weeks ago:

* Thu Nov 06 2014 Petr Lautrbach <[email protected]> 5.3p1-104.1
- Fix ControlPersist option with ProxyCommand (#1160487)

 

[cPanelMichael]

Hello

Yes, as mentioned in the previous post, it's likely reporting false positives based on the version number in cases where patches have been backported.

Thank you.