Upgrading your ssh version in cpanel centos server.
If you have a specific CVEs from your PCI report (vulnerability scan report) you can check this using the following method whether they have fixed that particular vulnerability in your installed version.
# rpm -q --changelog openssh > openssh.changelog
# cat openssl.fixlog | grep CVE-2006-5794
root@ajeesh [~]# cat openssh.changelog | grep CVE-2006-5794
- CVE-2006-5794 - properly detect failed key verify in monitor (#214642)
root@ajeesh [~]# rpm -qa | grep ssh
openssh-server-4.3p2-82.el5
openssh-clients-4.3p2-82.el5
fuse-sshfs-2.4-1.el5
openssh-4.3p2-82.el5
root@ajeesh [~]# yum upgrade openssh*
Loaded plugins: fastestmirror, rhnplugin
Loading mirror speeds from cached hostfile
* cloudlinux-x86_64-server-5: xmlrpc.cln.cloudlinux.com
* epel: mirrors.tummy.com
* rpmforge: mirror.teklinks.com
Excluding Packages in global exclude list
Finished
Setting up Upgrade Process
No Packages marked for Update
root@ajeesh [~]#
We can not do this yum upgrade for ssh. Centos is not issued the latest repository for ssh.
So we can do the following steps to upgrade openssh in your centos server.
1. root@Ajeesh [/usr/src]# wgetwget http://mirror.esc7.net/pub/OpenBSD/OpenSSH/portable/openssh-6.1p1.tar.gz
2. [/usr/src]# tar -xvzf openssh-6.1p1.tar.gz
3. [/usr/src]# cd openssh-6.1p1
4. [/usr/src/openssh-6.1p1]# cp contrib/redhat/openssh.spec /usr/src/redhat/SPECS/
5. [/usr/src/openssh-6.1p1]# cd ..
6. ]# cp openssh-6.1p1.tar.gz /usr/src/redhat/SOURCES/
7. cd /usr/src/redhat/SPECS
8. perl -i.bak -pe 's/^(%define no_(gnome|x11)_askpass)\s+0$/$1 1/' openssh.spec
9. [/usr/src/redhat/SPECS]# rpmbuild -bb openssh.spec
10 ]# cd /usr/src/redhat/RPMS/x86_64/
11 ]# rpm -Uvh *.rpm
]# rpm -qa | grep ssh
openssh-6.1p1-1
openssh-server-6.1p1-1
openssh-clients-6.1p1-1
If you have a specific CVEs from your PCI report (vulnerability scan report) you can check this using the following method whether they have fixed that particular vulnerability in your installed version.
# rpm -q --changelog openssh > openssh.changelog
# cat openssl.fixlog | grep CVE-2006-5794
root@ajeesh [~]# cat openssh.changelog | grep CVE-2006-5794
- CVE-2006-5794 - properly detect failed key verify in monitor (#214642)
root@ajeesh [~]# rpm -qa | grep ssh
openssh-server-4.3p2-82.el5
openssh-clients-4.3p2-82.el5
fuse-sshfs-2.4-1.el5
openssh-4.3p2-82.el5
root@ajeesh [~]# yum upgrade openssh*
Loaded plugins: fastestmirror, rhnplugin
Loading mirror speeds from cached hostfile
* cloudlinux-x86_64-server-5: xmlrpc.cln.cloudlinux.com
* epel: mirrors.tummy.com
* rpmforge: mirror.teklinks.com
Excluding Packages in global exclude list
Finished
Setting up Upgrade Process
No Packages marked for Update
root@ajeesh [~]#
We can not do this yum upgrade for ssh. Centos is not issued the latest repository for ssh.
So we can do the following steps to upgrade openssh in your centos server.
1. root@Ajeesh [/usr/src]# wgetwget http://mirror.esc7.net/pub/OpenBSD/OpenSSH/portable/openssh-6.1p1.tar.gz
2. [/usr/src]# tar -xvzf openssh-6.1p1.tar.gz
3. [/usr/src]# cd openssh-6.1p1
4. [/usr/src/openssh-6.1p1]# cp contrib/redhat/openssh.spec /usr/src/redhat/SPECS/
5. [/usr/src/openssh-6.1p1]# cd ..
6. ]# cp openssh-6.1p1.tar.gz /usr/src/redhat/SOURCES/
7. cd /usr/src/redhat/SPECS
8. perl -i.bak -pe 's/^(%define no_(gnome|x11)_askpass)\s+0$/$1 1/' openssh.spec
9. [/usr/src/redhat/SPECS]# rpmbuild -bb openssh.spec
10 ]# cd /usr/src/redhat/RPMS/x86_64/
11 ]# rpm -Uvh *.rpm
]# rpm -qa | grep ssh
openssh-6.1p1-1
openssh-server-6.1p1-1
openssh-clients-6.1p1-1