Need to upgrade to openssh 6.2 +
Need to upgrade to openssh 6.2 +
This is for pci compliance, I can't yum update beyond 5.2
- AlanBartlett
- Forum Moderator
- Posts: 9345
- Joined: 2007/10/22 11:30:09
- Location: ~/Earth/UK/England/Suffolk
- Contact:
Re: Need to upgrade to openssh 6.2 +
No you do not need to upgrade openssh! :-x
Please read [i]The Upstream Vendor[/i]'s [url=http://www.redhat.com/security/updates/backporting/]policy of backporting[/url] security and bug fixes.
Once you have read it, please ensure that whoever it is that is telling you incorrect information also reads and understands it. They [u][i][b]should not[/b][/i][/u] rely on the version number but [u][i][b]read the package's changelog[/b][/i][/u].
Please read [i]The Upstream Vendor[/i]'s [url=http://www.redhat.com/security/updates/backporting/]policy of backporting[/url] security and bug fixes.
Once you have read it, please ensure that whoever it is that is telling you incorrect information also reads and understands it. They [u][i][b]should not[/b][/i][/u] rely on the version number but [u][i][b]read the package's changelog[/b][/i][/u].
Re: Need to upgrade to openssh 6.2 +
I've been told that the installed version is not backported
openssh-5.2p1-1
openssh-clients-5.2p1-1
openssh-server-5.2p1-1
As yum will not upgrade any higher what should I do?
openssh-5.2p1-1
openssh-clients-5.2p1-1
openssh-server-5.2p1-1
As yum will not upgrade any higher what should I do?
Re: Need to upgrade to openssh 6.2 +
What exactly is the issue that you are trying to fix? Do you have a CVE number? Running
[code]
rpm -q --changelog openssh | grep CVE-yyyy-nnnn
[/code]
can often show you that the issue you're interested in is fixed. If not then using google to search for "CVE-yyyy-nnnn site:redhat.com" can often show you either a page that tells you when it was fixed or a bugzilla page that explains why Redhat believe that it is not an issue that needs fixing (for example, because some feature is not turned on in Redhat builds that would expose the vulnerable code).
If there is no CVE - browsing the upstream openssh changelog shows nothing that I'd regard as a security vulnerability since 6.0 and even that doesn't sound particularly serious - then you'll need to be much more specific about what the problem that you are trying to fix is! PCI auditors are often complete idiots who have a clipboard and a checklist and they need a reasoned explanation given to them as to why you don't tick the box on their checklist. You'll need to get them to explain to you what the purpose of the current checkbox is!
[code]
rpm -q --changelog openssh | grep CVE-yyyy-nnnn
[/code]
can often show you that the issue you're interested in is fixed. If not then using google to search for "CVE-yyyy-nnnn site:redhat.com" can often show you either a page that tells you when it was fixed or a bugzilla page that explains why Redhat believe that it is not an issue that needs fixing (for example, because some feature is not turned on in Redhat builds that would expose the vulnerable code).
If there is no CVE - browsing the upstream openssh changelog shows nothing that I'd regard as a security vulnerability since 6.0 and even that doesn't sound particularly serious - then you'll need to be much more specific about what the problem that you are trying to fix is! PCI auditors are often complete idiots who have a clipboard and a checklist and they need a reasoned explanation given to them as to why you don't tick the box on their checklist. You'll need to get them to explain to you what the purpose of the current checkbox is!
- AlanBartlett
- Forum Moderator
- Posts: 9345
- Joined: 2007/10/22 11:30:09
- Location: ~/Earth/UK/England/Suffolk
- Contact:
Re: Need to upgrade to openssh 6.2 +
[quote]
optikaa wrote:
I've been told that the installed version is not backported
. . . what should I do?
[/quote]
Simple. Get the fool who is feeding you with incorrect information to [b][i]read this thread[/i][/b]!
optikaa wrote:
I've been told that the installed version is not backported
. . . what should I do?
[/quote]
Simple. Get the fool who is feeding you with incorrect information to [b][i]read this thread[/i][/b]!
Re: Need to upgrade to openssh 6.2 +
I had a bit of an exchange with them last night and it turns out the CVE was ignored by Red Hat some time ago (2010) so I have no idea why this had come up now.
I'm guessing this is why there is no sign of it on the changelog.
They have passed it on to a superior who might not be so dense.
I'm guessing this is why there is no sign of it on the changelog.
They have passed it on to a superior who might not be so dense.
- AlanBartlett
- Forum Moderator
- Posts: 9345
- Joined: 2007/10/22 11:30:09
- Location: ~/Earth/UK/England/Suffolk
- Contact:
Re: Need to upgrade to openssh 6.2 +
It may well turn out that the CVE was not ignored by [i]Red Hat[/i] but that the fix was not necessary because [i]Red Hat[/i]'s code did not contain the flaw in question.
Perhaps the PCI numpies would care to discuss the matter with [i]Red Hat[/i]?
Just between the pair of us, do you honestly think that with the vast numbers of [i]RHEL[/i] / [i]CenOS[/i] / [i]Scientific Linux[/i] systems installed worldwide if there was a defect it would have been observed and fixed by now?
PCI numpties are a proverbial pain in the nether-regions and show their total lack of knowledge with every invalid comment that they make.
The 'superior' is welcome to join this thread . . . :roll:
Perhaps the PCI numpies would care to discuss the matter with [i]Red Hat[/i]?
Just between the pair of us, do you honestly think that with the vast numbers of [i]RHEL[/i] / [i]CenOS[/i] / [i]Scientific Linux[/i] systems installed worldwide if there was a defect it would have been observed and fixed by now?
PCI numpties are a proverbial pain in the nether-regions and show their total lack of knowledge with every invalid comment that they make.
The 'superior' is welcome to join this thread . . . :roll:
Re: Need to upgrade to openssh 6.2 +
Hey guys,
I'm actually running into a similar issue with this as well. Is there a way to tell if openssh-5.2p1-1 is the latest version? There doesn't appear to be a release number attached to this. From what I understand, if your PCI vendor can see that it is the latest release (even if backported) they can make a false positive. I could be wrong on this, but that's what I've understood it to be.
I'm actually running into a similar issue with this as well. Is there a way to tell if openssh-5.2p1-1 is the latest version? There doesn't appear to be a release number attached to this. From what I understand, if your PCI vendor can see that it is the latest release (even if backported) they can make a false positive. I could be wrong on this, but that's what I've understood it to be.
Re: Need to upgrade to openssh 6.2 +
Ok I'm still getting no-where despite intervention from 'superiors'.
The line they are now taking is that according to PCI compliance all software must have the latest security patches regardless of circumstance.
From the PCI compliance questionnaire:
6.1.a Are all system components and software protected from known vulnerabilities by having the latest vendor-supplied security patches installed?
The line they are now taking is that according to PCI compliance all software must have the latest security patches regardless of circumstance.
From the PCI compliance questionnaire:
6.1.a Are all system components and software protected from known vulnerabilities by having the latest vendor-supplied security patches installed?