Topic: Openssh version

[del]

I am running SME7.4 in server/gateway mode and because we accept credit cards an PCI compliance scan was run by Trustwave who say that openssh is vulnerable prior to version 4.4, I believe that I have version 3.9 (according to their evidence) so my question is what is the most up to date version I can safely install? Also is there any howto outlining the procedure? Would SME7.6 be a newer version? Thanks.

Regards,
Del

[janet]

del

You are very unwise to run an old version of sme 7.4 at all.
It is even more unwise when you are doing electronic financial transactions over the Internet.
You should always keep your server up to date with current update releases.
Minimally you should upgrade immediately to sme 7.6

As for openssh do
rpm -q openssh
to check the version installed
I note on sme 7.6 openssh is still v3.9xx, so your best approach would be to upgrade to sme v8.0 which is now a final release. Not sure what version of openssh that is running though.

[Jáder]

FYI:

Code: [Select]

[root@guepardo ~]# rpm -q openssh
openssh-4.3p2-82.el5
[root@guepardo ~]# cat /etc/redhat-release
SME Server release 8.0
[root@guepardo ~]#

And even openSSH it's older than 4.4 the bug MAY BE corrected.
Maybe it's backported to RHEL5... or not!

[del]

del

You are very unwise to run an old version of sme 7.4 at all.
It is even more unwise when you are doing electronic financial transactions over the Internet.
You should always keep your server up to date with current update releases.
Minimally you should upgrade immediately to sme 7.6

As for openssh do
rpm -q openssh
to check the version installed
I note on sme 7.6 openssh is still v3.9xx, so your best approach would be to upgrade to sme v8.0 which is now a final release. Not sure what version of openssh that is running though.

If I do all the updates using yum will it go to SME8.0 or do I need to physically download the ISO and use a disk? Although as Jader as pointed out it will still be older than 4.4 At least I'll be a step closer to an acceptable version. I did a search on http://rpm.pbone.net and it came up with the following rpms:

ftp.sourceforge.net/pub/sourceforge/e/es/escore/score-7.0.2/rpm.rhel5.x86_64/score7.0.2-xcrypt-7.0.2-1.x86_64.rpm

ftp.sourceforge.net/pub/sourceforge/e/es/escore/score-7.0.1/rpm.rhel5.x86_64/score7.0.1-xcrypt-7.0.1-1.x86_64.rpm

ftp.sourceforge.net/pub/sourceforge/e/es/escore/score-7/rpm.rhel5.x86_64/score7.0.0-xcrypt-7.0.0-1.x86_64.rpm

ftp.sourceforge.net/pub/sourceforge/s/se/selinux/OldFiles/openssh-selinux-3.1p1-6.i386.rpm

ftp.sourceforge.net/pub/sourceforge/s/se/selinux/OldFiles/openssh-selinux-3.1p1-2.i386.rpm

ftp.sourceforge.net/pub/sourceforge/m/ma/magiclinux-plus/update/RPMS.dist/openssh-5.6p1-34mgc25.1.i686.rpm

ftp.sourceforge.net/pub/sourceforge/r/ro/roblinux/64-32_pkg/net/x86_64/openssh-5.5p1-1rt.x86_64.rpm

ftp.sourceforge.net/pub/sourceforge/r/ro/roblinux/64-32_pkg/net/i686/openssh-5.5p1-1rt.i686.rpm

ftp.rpmhelp.net/pub/releases/1.0-CURRENT/i586/RPMS/openssh-3.6.1p2-12sls.i586.rpm

ftp.falsehope.net/home/pierre/openssh/openssh-1.2.3-2.i386.rpm

ftp.sourceforge.net/pub/sourceforge/e/ea/easylugs/openssh/1.2.2-1/openssh-1.2.2-1.i386.rpm

ftp.hacktic.nl/pub/replay/pub/crypto/OpenSSH/files/openssh-1.2.2-1.i386.rpm

ftp.hacktic.nl/pub/replay/pub/crypto/OpenSSH/files/openssh-1.2.1pre27-1.i386.rpm

But I have no idea if any of them are suitable for SME So if anyone can help shed some light on it I would be eternally grateful.

Regards,
Del

[janet]

del

The yum updates with the repos set "as is" will take you to sme7.6

Then you can upgrade to sme8.0 using a CD, or point (reset) your repos to use the sme 8 repository locations.
Refer http://wiki.contribs.org/SME_Server_8

I would worry about openssh version later after you have sme8 running.
As jader says, perhaps openssh 4.3 will be OK as it may have the appropriate security requirements.

[del]

The reason I asked about upgrading using SME updates, either in server manager or running yum update is that I am now back in the UK and the server is located in Port St. Lucie, FL. I am not too confident about doing such a big update via SSH or remote access. So my next question is, is there anyone in that area that would like to go on site and take a look for me? The person there is willing to pay for your services, let me know and I can give you the contact details.

Regards,
Del

[CharlieBrady]

I am running SME7.4 in server/gateway mode and because we accept credit cards an PCI compliance scan was run by Trustwave who say that openssh is vulnerable prior to version 4.4 ...

Is vulnerable to what? Please quote a CVE number.

You will likely find that whatever problem was found and fixed in version 4.4 has also been fixed in the version which is running on your server. Trustwave may be wrongly concluding that your server is vulnerable based only on the version number.