[BlueOnyx:27051] Re: PCI problem with OpenSSH

[Taco Scargo]

Hi Michael,

Check if you have openssh-8.0p1-24.el8.x86_64 installed.
This is the RH version of the OpenSSH package that includes the fix.
See: https://access.redhat.com/errata/RHSA-2024:3166

Best regards,

Taco Scargo

> On 14 Jun 2024, at 09:08, Michael Aronoff via Blueonyx <blueonyx at mail.blueonyx.it> wrote:
> 
> I have a server that needs to pass a PCI Compliance scan. It passes everything except an issue with OpenSSH that I am not sure how to mitigate.
> 
> The results show that the CVE ID is CVE-2020-15778
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15778
> 
> The threat description is:
> 
> OpenSSH (OpenBSD Secure Shell) is a set of computer programs providing encrypted communication sessions over a computer network using the SSH protocol.
> 
> OpenSSH contains the following vulnerabilities:
> OpenSSH through 8.3p1 allows command injection in the scp.c toremote function, as demonstrated by backtick characters in the destination argument. NOTE: the vendor reportedly has stated that they intentionally omit validation of "anomalous argument transfers" because that could "stand a great chance of breaking existing workflows. Affected Versions:
> OpenSSH versions prior to 8.3
> 
> Anyone know if this can be fixed on a 5210R so it passes PCI Compliance?
> 
> Thanks, 
> ________________________________
> M Aronoff Out – maronoff at gmail.com <mailto:maronoff at gmail.com> 
>  
> I'm a great believer in luck, and I find 
> the harder I work the more I have of it.
>   - Thomas Jefferson
> 
> _______________________________________________
> Blueonyx mailing list
> Blueonyx at mail.blueonyx.it <mailto:Blueonyx at mail.blueonyx.it>
> http://mail.blueonyx.it/mailman/listinfo/blueonyx

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20240614/e4ce66dc/attachment-0001.html>