Need to upgrade to openssh 6.2 +

Installing, Configuring, Troubleshooting server daemons such as Web and Mail
optikaa
Posts: 92
Joined: 2009/03/26 19:24:37

Need to upgrade to openssh 6.2 +

Post by optikaa » 2013/09/19 19:58:24

This is for pci compliance, I can't yum update beyond 5.2

User avatar
AlanBartlett
Forum Moderator
Posts: 9345
Joined: 2007/10/22 11:30:09
Location: ~/Earth/UK/England/Suffolk
Contact:

Re: Need to upgrade to openssh 6.2 +

Post by AlanBartlett » 2013/09/19 20:39:17

No you do not need to upgrade openssh! :-x

Please read [i]The Upstream Vendor[/i]'s [url=http://www.redhat.com/security/updates/backporting/]policy of backporting[/url] security and bug fixes.

Once you have read it, please ensure that whoever it is that is telling you incorrect information also reads and understands it. They [u][i][b]should not[/b][/i][/u] rely on the version number but [u][i][b]read the package's changelog[/b][/i][/u].

optikaa
Posts: 92
Joined: 2009/03/26 19:24:37

Re: Need to upgrade to openssh 6.2 +

Post by optikaa » 2013/09/19 20:46:31

Ok thanks

optikaa
Posts: 92
Joined: 2009/03/26 19:24:37

Re: Need to upgrade to openssh 6.2 +

Post by optikaa » 2013/09/21 18:11:05

I've been told that the installed version is not backported

openssh-5.2p1-1
openssh-clients-5.2p1-1
openssh-server-5.2p1-1

As yum will not upgrade any higher what should I do?

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Need to upgrade to openssh 6.2 +

Post by TrevorH » 2013/09/21 22:06:43

What exactly is the issue that you are trying to fix? Do you have a CVE number? Running

[code]
rpm -q --changelog openssh | grep CVE-yyyy-nnnn
[/code]

can often show you that the issue you're interested in is fixed. If not then using google to search for "CVE-yyyy-nnnn site:redhat.com" can often show you either a page that tells you when it was fixed or a bugzilla page that explains why Redhat believe that it is not an issue that needs fixing (for example, because some feature is not turned on in Redhat builds that would expose the vulnerable code).

If there is no CVE - browsing the upstream openssh changelog shows nothing that I'd regard as a security vulnerability since 6.0 and even that doesn't sound particularly serious - then you'll need to be much more specific about what the problem that you are trying to fix is! PCI auditors are often complete idiots who have a clipboard and a checklist and they need a reasoned explanation given to them as to why you don't tick the box on their checklist. You'll need to get them to explain to you what the purpose of the current checkbox is!

User avatar
AlanBartlett
Forum Moderator
Posts: 9345
Joined: 2007/10/22 11:30:09
Location: ~/Earth/UK/England/Suffolk
Contact:

Re: Need to upgrade to openssh 6.2 +

Post by AlanBartlett » 2013/09/22 01:07:01

[quote]
optikaa wrote:
I've been told that the installed version is not backported

. . . what should I do?
[/quote]
Simple. Get the fool who is feeding you with incorrect information to [b][i]read this thread[/i][/b]!

optikaa
Posts: 92
Joined: 2009/03/26 19:24:37

Re: Need to upgrade to openssh 6.2 +

Post by optikaa » 2013/09/22 17:12:06

I had a bit of an exchange with them last night and it turns out the CVE was ignored by Red Hat some time ago (2010) so I have no idea why this had come up now.

I'm guessing this is why there is no sign of it on the changelog.

They have passed it on to a superior who might not be so dense.

User avatar
AlanBartlett
Forum Moderator
Posts: 9345
Joined: 2007/10/22 11:30:09
Location: ~/Earth/UK/England/Suffolk
Contact:

Re: Need to upgrade to openssh 6.2 +

Post by AlanBartlett » 2013/09/22 18:28:47

It may well turn out that the CVE was not ignored by [i]Red Hat[/i] but that the fix was not necessary because [i]Red Hat[/i]'s code did not contain the flaw in question.

Perhaps the PCI numpies would care to discuss the matter with [i]Red Hat[/i]?

Just between the pair of us, do you honestly think that with the vast numbers of [i]RHEL[/i] / [i]CenOS[/i] / [i]Scientific Linux[/i] systems installed worldwide if there was a defect it would have been observed and fixed by now?

PCI numpties are a proverbial pain in the nether-regions and show their total lack of knowledge with every invalid comment that they make.

The 'superior' is welcome to join this thread . . . :roll:

jta89
Posts: 1
Joined: 2013/10/04 19:49:07

Re: Need to upgrade to openssh 6.2 +

Post by jta89 » 2013/10/04 19:56:27

Hey guys,

I'm actually running into a similar issue with this as well. Is there a way to tell if openssh-5.2p1-1 is the latest version? There doesn't appear to be a release number attached to this. From what I understand, if your PCI vendor can see that it is the latest release (even if backported) they can make a false positive. I could be wrong on this, but that's what I've understood it to be.

optikaa
Posts: 92
Joined: 2009/03/26 19:24:37

Re: Need to upgrade to openssh 6.2 +

Post by optikaa » 2013/10/04 20:40:32

Ok I'm still getting no-where despite intervention from 'superiors'.

The line they are now taking is that according to PCI compliance all software must have the latest security patches regardless of circumstance.

From the PCI compliance questionnaire:


6.1.a Are all system components and software protected from known vulnerabilities by having the latest vendor-supplied security patches installed?

Post Reply