Need to upgrade to openssh 6.2 +

Installing, Configuring, Troubleshooting server daemons such as Web and Mail
gerald_clark
Posts: 10642
Joined: 2005/08/05 15:19:54
Location: Northern Illinois, USA

Re: Need to upgrade to openssh 6.2 +

Post by gerald_clark » 2013/10/04 20:49:15

And what makes you think they are not?
You still have not provided the CVE in question.

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Need to upgrade to openssh 6.2 +

Post by TrevorH » 2013/10/05 01:34:32

[quote]
6.1.a Are all system components and software protected from known vulnerabilities by having the latest vendor-supplied security patches installed?
[/quote]

To which the answer is "yes" since you have applied all the vendor (Redhat/CentOS) supplied security patches.

optikaa
Posts: 92
Joined: 2009/03/26 19:24:37

Re: Need to upgrade to openssh 6.2 +

Post by optikaa » 2013/10/05 09:22:35

That's what I thought but maybe they are mis-construing Vendor as openssh rather than Red Hat.

Here is the full fail info:


Title: OpenSSH 5.2 is vulnerable

Impact: This document describes some vulnerabilities in the OpenSSH cryptographic login program. Outdated versions of OpenSSH may allow a malicious user to log in as another user, to insert arbitrary commands into a session, or to gain remote root access to the OpenSSH server.

Resolution: Upgrade to [http://www.openssh.org] OpenSSH version 6.2 or higher, or install a fix from your operating system vendor.

Risk Factor: High/ CVSS2 Base Score: 7.5

(AV:N/AC:L/Au:N/C:P/I:P/A:P) CVE: CVE-2010-4478 BID: 51702
Additional CVEs: CVE-2010-5107 CVE-2010-4755 CVE-2012-0814 CVE-2011-5000

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Need to upgrade to openssh 6.2 +

Post by TrevorH » 2013/10/05 15:09:21

Hooray! Some CVE numbers at last:

https://access.redhat.com/security/cve/CVE-2010-4478 - specifically the part that says "Not vulnerable. This issue did not affect the versions of openssh as shipped with Red Hat Enterprise Linux 4, 5, or 6."

https://access.redhat.com/security/cve/CVE-2010-5107

https://bugzilla.redhat.com/show_bug.cgi?id=681698

https://bugzilla.redhat.com/show_bug.cgi?id=785292

https://access.redhat.com/security/cve/CVE-2011-5000

All those come from Google for e.g. "site:redhat.com CVE-2011-5000"

optikaa
Posts: 92
Joined: 2009/03/26 19:24:37

Re: Need to upgrade to openssh 6.2 +

Post by optikaa » 2013/10/07 15:02:11

Sorry about not posting the CVE, it's just I has sent the compliance company that link some time ago and they took no notice.

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Need to upgrade to openssh 6.2 +

Post by TrevorH » 2013/10/07 15:31:40

Send it to them again: it explicitly says "Not vulnerable".

optikaa
Posts: 92
Joined: 2009/03/26 19:24:37

Re: Need to upgrade to openssh 6.2 +

Post by optikaa » 2013/10/08 20:39:27

Can I just check my repos are looking right this is what happens when I run yum

# yum update openssh
Loaded plugins: allowdowngrade, fastestmirror, priorities
Loading mirror speeds from cached hostfile
* addons: mirror.as29550.net
* base: mirror.for.me.uk
* extras: mirror.as29550.net
* rpmforge: www.mirrorservice.org
* updates: mirror.mhd.uk.as44574.net
131 packages excluded due to repository priority protections
Setting up Update Process
No Packages marked for Update


I've sent them the link again and another explanation of what has been said here.

User avatar
AlanBartlett
Forum Moderator
Posts: 9345
Joined: 2007/10/22 11:30:09
Location: ~/Earth/UK/England/Suffolk
Contact:

Re: Need to upgrade to openssh 6.2 +

Post by AlanBartlett » 2013/10/08 21:11:35

To help you to understand, please execute the following sequence of commands --

[code]
[b]yum clean all
yum --disablerepo \* --enablerepo base,updates check-update[/b]
[/code]
If you would like an explanation as to what is seen, feel free to post the exact output produced when the above are executed.

optikaa
Posts: 92
Joined: 2009/03/26 19:24:37

Re: Need to upgrade to openssh 6.2 +

Post by optikaa » 2013/10/08 21:27:46

Ok I have done that and still no updates available, the PCI "people" are now asking me to prove via a web link that the version of openssh installed is up to date for the CentOS version installed, CentOS release 5.8 (Final).

I'm guessing that isn't possible :evil:

User avatar
AlanBartlett
Forum Moderator
Posts: 9345
Joined: 2007/10/22 11:30:09
Location: ~/Earth/UK/England/Suffolk
Contact:

Re: Need to upgrade to openssh 6.2 +

Post by AlanBartlett » 2013/10/08 22:34:18

You mention [i]CentOS 5.8[/i]. Usage of that version is deprecated, as 5.9 is the current release and 5.10 is on the way . . .

Please clarify the situation by showing the output produced by --

[code]
[b]rpm -qa \*release\* | sort[/b]
[/code]

[quote]
. . . the PCI "people" are now asking me to prove via a web link that the version of openssh installed is up to date for the CentOS version installed, CentOS release 5.8 (Final).
[/quote]
As has previously been written, [u][b]the numpties will [i]have[/i] to read the openssh package change log[/b][/u] . . . there is no web link.

Post Reply