I have a shop that requires PCI compliance and we're currently being flagged as having an outdated patch for openSSH. It is a self-managed VPN and I'm stuck between securitymetrics telling me the backported version is outdated and my host telling me that if it was, it would update automatically.
I have openssh-server-5.3p1-81.el6_3.x86_64 and securitymetrics want to see openssh-server-5.3p1-84.1.el6.x86_64. Notices on redhat seem to confirm that the version I have is out of date (
https://rhn.redhat.com/errata/RHBA-2012-1443.html ) but it has not been updated automatically.
I am not a server guy, and the idea of compiling my own ssh version scares the hell out of me (and I wouldn't know where to start). If this backporting thing is supposed to be automated, I shouldn't have to should I?
Could someone please explain why this hasn't happened? Is there some way I can force this update? When I try to update through yum I get a dependency issue which stops the update (ie. the current version is blocking the older version). I am trying to do this through SSH, so uninstalling the current version isn't an option even if I had the nerve.
My host has very quickly distanced themselves from me since I showed them things weren't up-to-date and are saying no one else is reporting this issue. How can this be? Surely there are lots of users needing pci compliance.
Anyway, if any of you have hunches or things to try, I'd really appreciate it.
Regards
Andy