I have a shop that requires PCI compliance and we're currently being flagged as having an outdated patch for openSSH. It is a self-managed VPN and I'm stuck between securitymetrics telling me the backported version is outdated and my host telling me that if it was, it would update automatically.

I have openssh-server-5.3p1-81.el6_3.x86_64 and securitymetrics want to see openssh-server-5.3p1-84.1.el6.x86_64. Notices on redhat seem to confirm that the version I have is out of date ( https://rhn.redhat.com/errata/RHBA-2012-1443.html ) but it has not been updated automatically.

I am not a server guy, and the idea of compiling my own ssh version scares the hell out of me (and I wouldn't know where to start). If this backporting thing is supposed to be automated, I shouldn't have to should I?

Could someone please explain why this hasn't happened? Is there some way I can force this update? When I try to update through yum I get a dependency issue which stops the update (ie. the current version is blocking the older version). I am trying to do this through SSH, so uninstalling the current version isn't an option even if I had the nerve.

My host has very quickly distanced themselves from me since I showed them things weren't up-to-date and are saying no one else is reporting this issue. How can this be? Surely there are lots of users needing pci compliance.

Anyway, if any of you have hunches or things to try, I'd really appreciate it.

Regards
Andy

Hi Andy,

Contact RedHat support and ask their advice, what version of RedHat are you using?

I'm surprised that your PCI Auditor is happy for you to be using a "third party" VPS to hold cardholder data. How do they propose doing the datacenter level vulnerability scan on the physical hardware?

Oh, and good luck with PCI certification, took us about 18 months to complete it end-to-end.

We don't store creditcard numbers, but they are entered on the site and transmitted to the payment provider via ssl. This PCI compliance seems to be a full time job in itself- ridiculous! Thanks for the advice

Check to see if the site can be modified so that the entry of cardholder data is done on a secure "shopping cart" of your payment provider rather than on "your" site. That way you're sending a shopping cart / transaction ID backwards and forwards rather than CHD.

It pretty much is depending on what level of PCI you seek. There is a "self-certified" level that many people consider enough, and there's the full on certification that could take you months to achieve.

You're welcome.