PCI Compliancy - openssl & openssh

[Belaird]

I am trying to get past the PCI Compliancy checks that Controlscan does and two issues are flagged, openssl and openssh. Both are flagged as being version levels to old and insecure openssl 0.9.7a should be 0.9.7l, and openssh 3.9 should be 4.7.
What I'd like to know is are the current version of openssl and openssh with Centos 4.6 already patched but nobody has changed the release number, and where can I find information on this to back my case to stating such.

If they are not patched and I need to install a more current version of openssl and openssh, how and can I do this with my current cpanel and apach 2.2 ?

 

[cPanelBilly]

These are automatically updated by your system (unless you turned that off in the update settings). Since you are using CentOS which is a derivative of RHEL and RH uses back patches rather than releasing the new binaries most likely you are already patched.

 

[Belaird]

Is there a way I can tell this, and use that info to answer the audit?

 

[rgyure]

This might be a little late, but here is the command in case anyone needs it.

rpm -q --changelog openssl

This will show what was applied to the openssl package. Just show proof that the patch was applied and they should OK the update.

Ryan

 

[BianchiDude]

This might be a little late, but here is the command in case anyone needs it.



This will show what was applied to the openssl package. Just show proof that the patch was applied and they should OK the update.

Ryan

Thanks! Handy command.

 

[Tina]

how do you update openssl?

These are automatically updated by your system (unless you turned that off in the update settings). Since you are using CentOS which is a derivative of RHEL and RH uses back patches rather than releasing the new binaries most likely you are already patched.

For the same reasons, PCI Compliance, I would need to have OpenSSL to a more recent version. It's still not clear to me how I can do that.

Specifically which part of the system is responsible for keeping openssh current and is this something that I can do or do we just have to wait till it's done? I ask this because I upgraded just about everything I could find to upgrade (at the push of a button ) and when I look at openssh.org it talks about compiling and that's where I have to stop and ask for help.

Should I ask my colo to upgrade my os?


Thank you,

Tina


Apache/2.2.8 (Unix) mod_ssl/2.2.8 OpenSSL/0.9.7a
WHM 11.20.0 cPanel 11.22.3-C23899
CENTOS Enterprise 4.5 i686 on xen - WHM X v3.1.0

 

[skittles]

Here is a page with instructions on updating both openSSL and openSSH. Although it is from 2005, I simply changed the version numbers to the most current and I was able to update both on my server.

I've tested the eCommerce sites on the server and everything appears to be working correctly.

As with all things, use at your own risk.

Here is the url: http://www.eth0.us/sshd

-Skittles

 

[StevenC]

Depending on your scan vendor. You can explain to them that you are using backported patches, and provide them proof (which you can as long as your os is updated). They will commonly shake off the Alert.

At any rate, you can compile openssh/openssl from scratch and avoid the whole issue all together.