Community support for Plesk, CPanel, WebMin and others with insight from two of the founders of Plesk. Ask for help here! No question is too simple or complicated.
Well its not *really* openssh 4.3p2, its openssh-4.3p2-82. That "82" is what you pay attention to, because that indicates what backports have been applied to it.
Yes, I managed to figure that out. Unfortunately, the PCI scanning folks are not understanding that. I have to go item by item that failed and document each version installed and explain to them that it is a false positive and why because they can't see the patches / backports. This is absurd. If they are going to require compliance, then they should at least be able to scan accurately.
These companies are very strange sometimes. One of our customers asked if our hosting systems were PCI compliant and I said categorically "no". Not only are there a host of little changes to make (most done anyway) but I knew there would be issues with things like you describe.
The customer went ahead and got the system his account was hosted on tested. To my surpprise (and horror) the system was passed with flying colours. Err...what?
Maybe there are different levels of testing and whatever this customer needed didn't require a detailed test?
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
KirkM wrote:Yes, I managed to figure that out. Unfortunately, the PCI scanning folks are not understanding that. I have to go item by item that failed and document each version installed and explain to them that it is a false positive and why because they can't see the patches / backports. This is absurd. If they are going to require compliance, then they should at least be able to scan accurately.
Can't you hand them a list of installed packages and versions (rpm -qa | sort > installed-software.txt)? Have them read https://access.redhat.com/security/updates/backporting/ and then tell them to start doing their job. All of the updates are documented by Red Hat including CVE numbers and everything. If you really need to do all the work yourself their scan is pretty worthless.
openssh-server-4.3p2-82.el5 is the current and latest version on CentOS 5.8.
And as always for ASL subscribers, we're happy to support you with issues like that with PCI assessments. Usually all it takes is an email from us to the QSA