OpenSSH update on plesk, is it safe?

[arctic_ged]

Hi,

Our server has failed PCI Compliance because the OpenSSH 4.3 is "vulnerable" -
http://web.nvd.nist.gov/view/vuln/detai ... -2006-5051

When I run yum update openssh i get the following output:

Code: Select all

[root@www asl]# yum update openssh
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * atomic: mir01.syntis.net
 * elrepo: mirror.imt-systems.com
 * epel: ftp-stud.hs-esslingen.de
 * rpmforge: mirror1.hs-esslingen.de
Setting up Update Process
No Packages marked for Update

Does this mean i need to update OpenSSH manually, and is this safe I'm running Plesk 10.4.4 on centos 5.5.

[scott]

Thats absolutely a vulnerability, you need to upgrade the system to centos 5.8 to get where you need to be.

[KirkM]

I have Centos 5.8 final and still see openssh 4.3. Yum also sees no update available. Is it safe to update?

[scott]

Well its not *really* openssh 4.3p2, its openssh-4.3p2-82. That "82" is what you pay attention to, because that indicates what backports have been applied to it.

[KirkM]

Yes, I managed to figure that out. Unfortunately, the PCI scanning folks are not understanding that. I have to go item by item that failed and document each version installed and explain to them that it is a false positive and why because they can't see the patches / backports. This is absurd. If they are going to require compliance, then they should at least be able to scan accurately.

[faris]

These companies are very strange sometimes. One of our customers asked if our hosting systems were PCI compliant and I said categorically "no". Not only are there a host of little changes to make (most done anyway) but I knew there would be issues with things like you describe.

The customer went ahead and got the system his account was hosted on tested. To my surpprise (and horror) the system was passed with flying colours. Err...what?

Maybe there are different levels of testing and whatever this customer needed didn't require a detailed test?

[breun]

Yes, I managed to figure that out. Unfortunately, the PCI scanning folks are not understanding that. I have to go item by item that failed and document each version installed and explain to them that it is a false positive and why because they can't see the patches / backports. This is absurd. If they are going to require compliance, then they should at least be able to scan accurately.

Can't you hand them a list of installed packages and versions (rpm -qa | sort > installed-software.txt)? Have them read https://access.redhat.com/security/updates/backporting/ and then tell them to start doing their job. All of the updates are documented by Red Hat including CVE numbers and everything. If you really need to do all the work yourself their scan is pretty worthless.

openssh-server-4.3p2-82.el5 is the current and latest version on CentOS 5.8.

[scott]

And as always for ASL subscribers, we're happy to support you with issues like that with PCI assessments. Usually all it takes is an email from us to the QSA