Need to upgrade to openssh 6.2 +
-
- Posts: 10642
- Joined: 2005/08/05 15:19:54
- Location: Northern Illinois, USA
Re: Need to upgrade to openssh 6.2 +
And what makes you think they are not?
You still have not provided the CVE in question.
You still have not provided the CVE in question.
Re: Need to upgrade to openssh 6.2 +
[quote]
6.1.a Are all system components and software protected from known vulnerabilities by having the latest vendor-supplied security patches installed?
[/quote]
To which the answer is "yes" since you have applied all the vendor (Redhat/CentOS) supplied security patches.
6.1.a Are all system components and software protected from known vulnerabilities by having the latest vendor-supplied security patches installed?
[/quote]
To which the answer is "yes" since you have applied all the vendor (Redhat/CentOS) supplied security patches.
Re: Need to upgrade to openssh 6.2 +
That's what I thought but maybe they are mis-construing Vendor as openssh rather than Red Hat.
Here is the full fail info:
Title: OpenSSH 5.2 is vulnerable
Impact: This document describes some vulnerabilities in the OpenSSH cryptographic login program. Outdated versions of OpenSSH may allow a malicious user to log in as another user, to insert arbitrary commands into a session, or to gain remote root access to the OpenSSH server.
Resolution: Upgrade to [http://www.openssh.org] OpenSSH version 6.2 or higher, or install a fix from your operating system vendor.
Risk Factor: High/ CVSS2 Base Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P) CVE: CVE-2010-4478 BID: 51702
Additional CVEs: CVE-2010-5107 CVE-2010-4755 CVE-2012-0814 CVE-2011-5000
Here is the full fail info:
Title: OpenSSH 5.2 is vulnerable
Impact: This document describes some vulnerabilities in the OpenSSH cryptographic login program. Outdated versions of OpenSSH may allow a malicious user to log in as another user, to insert arbitrary commands into a session, or to gain remote root access to the OpenSSH server.
Resolution: Upgrade to [http://www.openssh.org] OpenSSH version 6.2 or higher, or install a fix from your operating system vendor.
Risk Factor: High/ CVSS2 Base Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P) CVE: CVE-2010-4478 BID: 51702
Additional CVEs: CVE-2010-5107 CVE-2010-4755 CVE-2012-0814 CVE-2011-5000
Re: Need to upgrade to openssh 6.2 +
Hooray! Some CVE numbers at last:
https://access.redhat.com/security/cve/CVE-2010-4478 - specifically the part that says "Not vulnerable. This issue did not affect the versions of openssh as shipped with Red Hat Enterprise Linux 4, 5, or 6."
https://access.redhat.com/security/cve/CVE-2010-5107
https://bugzilla.redhat.com/show_bug.cgi?id=681698
https://bugzilla.redhat.com/show_bug.cgi?id=785292
https://access.redhat.com/security/cve/CVE-2011-5000
All those come from Google for e.g. "site:redhat.com CVE-2011-5000"
https://access.redhat.com/security/cve/CVE-2010-4478 - specifically the part that says "Not vulnerable. This issue did not affect the versions of openssh as shipped with Red Hat Enterprise Linux 4, 5, or 6."
https://access.redhat.com/security/cve/CVE-2010-5107
https://bugzilla.redhat.com/show_bug.cgi?id=681698
https://bugzilla.redhat.com/show_bug.cgi?id=785292
https://access.redhat.com/security/cve/CVE-2011-5000
All those come from Google for e.g. "site:redhat.com CVE-2011-5000"
Re: Need to upgrade to openssh 6.2 +
Sorry about not posting the CVE, it's just I has sent the compliance company that link some time ago and they took no notice.
Re: Need to upgrade to openssh 6.2 +
Send it to them again: it explicitly says "Not vulnerable".
Re: Need to upgrade to openssh 6.2 +
Can I just check my repos are looking right this is what happens when I run yum
# yum update openssh
Loaded plugins: allowdowngrade, fastestmirror, priorities
Loading mirror speeds from cached hostfile
* addons: mirror.as29550.net
* base: mirror.for.me.uk
* extras: mirror.as29550.net
* rpmforge: www.mirrorservice.org
* updates: mirror.mhd.uk.as44574.net
131 packages excluded due to repository priority protections
Setting up Update Process
No Packages marked for Update
I've sent them the link again and another explanation of what has been said here.
# yum update openssh
Loaded plugins: allowdowngrade, fastestmirror, priorities
Loading mirror speeds from cached hostfile
* addons: mirror.as29550.net
* base: mirror.for.me.uk
* extras: mirror.as29550.net
* rpmforge: www.mirrorservice.org
* updates: mirror.mhd.uk.as44574.net
131 packages excluded due to repository priority protections
Setting up Update Process
No Packages marked for Update
I've sent them the link again and another explanation of what has been said here.
- AlanBartlett
- Forum Moderator
- Posts: 9345
- Joined: 2007/10/22 11:30:09
- Location: ~/Earth/UK/England/Suffolk
- Contact:
Re: Need to upgrade to openssh 6.2 +
To help you to understand, please execute the following sequence of commands --
[code]
[b]yum clean all
yum --disablerepo \* --enablerepo base,updates check-update[/b]
[/code]
If you would like an explanation as to what is seen, feel free to post the exact output produced when the above are executed.
[code]
[b]yum clean all
yum --disablerepo \* --enablerepo base,updates check-update[/b]
[/code]
If you would like an explanation as to what is seen, feel free to post the exact output produced when the above are executed.
Re: Need to upgrade to openssh 6.2 +
Ok I have done that and still no updates available, the PCI "people" are now asking me to prove via a web link that the version of openssh installed is up to date for the CentOS version installed, CentOS release 5.8 (Final).
I'm guessing that isn't possible :evil:
I'm guessing that isn't possible :evil:
- AlanBartlett
- Forum Moderator
- Posts: 9345
- Joined: 2007/10/22 11:30:09
- Location: ~/Earth/UK/England/Suffolk
- Contact:
Re: Need to upgrade to openssh 6.2 +
You mention [i]CentOS 5.8[/i]. Usage of that version is deprecated, as 5.9 is the current release and 5.10 is on the way . . .
Please clarify the situation by showing the output produced by --
[code]
[b]rpm -qa \*release\* | sort[/b]
[/code]
[quote]
. . . the PCI "people" are now asking me to prove via a web link that the version of openssh installed is up to date for the CentOS version installed, CentOS release 5.8 (Final).
[/quote]
As has previously been written, [u][b]the numpties will [i]have[/i] to read the openssh package change log[/b][/u] . . . there is no web link.
Please clarify the situation by showing the output produced by --
[code]
[b]rpm -qa \*release\* | sort[/b]
[/code]
[quote]
. . . the PCI "people" are now asking me to prove via a web link that the version of openssh installed is up to date for the CentOS version installed, CentOS release 5.8 (Final).
[/quote]
As has previously been written, [u][b]the numpties will [i]have[/i] to read the openssh package change log[/b][/u] . . . there is no web link.