VULNERABILITY: openSSH is failing PCI compliance scans

Hi

PCI compliance scans show the following for openSSH

SSH-2.0-OpenSSH_6.6.1 detected

A vulnerability has been reported in the application which exist when using ssh -X option, to connect to the SSH client’s X server which allow
connections without being subject to X11 SECURITY restrictions.
Affected Versions:
OpenSSH prior to version 6.9

IMPACT:
Succesful exploitation of this vulnerability will allow an attacker to interact with X server without being subject to X SECURITY restrictions or
authentication

SOLUTION:
Users are advised to upgrade to the latest version of the software available. Refer to OpenSSH 6.9 Release Notes for further information.

When is the openSSH in 13.1 and 13.2 going to be upgraded?

Many thanks

On Thu 27 Aug 2015 03:26:02 PM CDT, CNConrad wrote:

Hi

PCI compliance scans show the following for openSSH

SSH-2.0-OpenSSH_6.6.1 detected

A vulnerability has been reported in the application which exist when
using ssh -X option, to connect to the SSH client’s X server which allow
connections without being subject to X11 SECURITY restrictions.
Affected Versions:
OpenSSH prior to version 6.9

IMPACT:
Succesful exploitation of this vulnerability will allow an attacker to
interact with X server without being subject to X SECURITY restrictions
or
authentication

SOLUTION:
Users are advised to upgrade to the latest version of the software
available. Refer to OpenSSH 6.9 Release Notes for further information.

When is the openSSH in 13.1 and 13.2 going to be upgraded?

Many thanks

Hi
Check the installed version changelog for the CVE reference, fixes are
back ported so version numbers don’t necessarily change. Sounds like
your scanner is only looking at the version number, when it should
possibly check for the vulnerability.


Cheers Malcolm °¿° LFCS, SUSE Knowledge Partner (Linux Counter #276890)
SUSE Linux Enterprise Desktop 12 GNOME 3.10.1 Kernel
3.12.44-52.10-default If you find this post helpful and are logged into
the web interface, please show your appreciation and click on the star
below… Thanks!

On 2015-08-27 17:26, CNConrad wrote:
> When is the openSSH in 13.1 and 13.2 going to be upgraded?

*SUSE policy is not to update versions during the lifetime of stable
distributions, but to backport security updates instead (with some
exceptions). Thus, security analysis based on versions is useless on
openSUSE.

Unless the analyst checks the exact version and release, against a
database of what was backported…


Cheers / Saludos,

Carlos E. R.

(from 13.1 x86_64 “Bottle” (Minas Tirith))