Hi All,
Recently, in order to get PCICompliant Certificate we scanned our Machine I could find too many for issues for openssh.
I really have no clue is vulnerability is being fixed or not necessary.
openssh-server-6.6.1p1-35.el7_3.x86_64
openssh-clients-6.6.1p1-35.el7_3.x86_64
openssh-6.6.1p1-35.el7_3.x86_64
I could not able to find these CVE using --changelog for all these above packages.
CVE-2015-6564
CVE-2015-6563
CVE-2015-6565
CVE-2015-5600
CVE-2016-10009
CVE-2016-10011
CVE-2016-10012
CVE-2016-10010
CVE-2016-6515
CVE-2016-6210
CVE-2004-1653
CVE-2014-2653
CVE-2015-5352
CVE-2015-4000
It will be great that if someone can help me how to pass it.
PCI Compliant On CentOS 7.x
Re: PCI Compliant On CentOS 7.x
Hm, it seems that not all CVEs are recorded in the changelog. Another source of information is RH's Bugzilla, for example https://bugzilla.redhat.com/show_bug.cg ... -2015-6564 , which states that this vulnerability was fixed in RHSA-2015-2088.
There's also Red Hat's CVE database, which contains much of the same information in a more condensed format.
There's also Red Hat's CVE database, which contains much of the same information in a more condensed format.
-
KernelOops
- Posts: 428
- Joined: 2013/12/18 15:04:03
- Location: xfs file system
Re: PCI Compliant On CentOS 7.x
I've had a similar experience, I am required be PCI compliant for more than 20 servers and the PCI scan run by a 3rd party company always comes up with these ridiculous failures.
I did some digging into it and I discovered that these PCI scans are absolutely garbage. They have no idea what kind of software I run or even how "patched" they are. Essentially, they blindly add CVE's into their database every month and every single *new* CVE they add is automatically flagged as vulnerable. Seems to me, like a simple tactic to appear as if they do something useful.
Then of course I have to send them an email, listing every single CVE, telling them how irrelevant they are, because some date back many months and have already been patched, while others are for completely different systems (Mac or Windoze) or even different services which I don't even run (but they assume I do).
I suggest you do something similar, show them the CVE's on the redhat portal and explain that blindly accusing you, is not a real job.
I did some digging into it and I discovered that these PCI scans are absolutely garbage. They have no idea what kind of software I run or even how "patched" they are. Essentially, they blindly add CVE's into their database every month and every single *new* CVE they add is automatically flagged as vulnerable. Seems to me, like a simple tactic to appear as if they do something useful.
Then of course I have to send them an email, listing every single CVE, telling them how irrelevant they are, because some date back many months and have already been patched, while others are for completely different systems (Mac or Windoze) or even different services which I don't even run (but they assume I do).
I suggest you do something similar, show them the CVE's on the redhat portal and explain that blindly accusing you, is not a real job.
--
R.I.P. CentOS
--
R.I.P. CentOS
--