Are CVE-2010-4478 and CVE-2011-0539 fixed in OpenSSH 5.3?

Citizen asked:

I’m running OpenSSH 5.3p1-81.el6_3, which according to my server is the latest stable version. My PCI scan is showing CVE-2010-4478 and CVE-2011-0539 exploits as being present due to my OpenSSH version.

Checking “rpm -q –changelog openssh” shows that there have been updates as late as october 2012. Surely these have been resolved? There are newer versions of SSH (6.x I believe) but from what I can tell, rehat/centos backports security fixes to old stable versions like 5.3.

Are these fixed in my version or aren’t they? If yes, how can I show this to my PCI scanner to prove a false positive?


My answer:

Yes, you are up to date, and not vulnerable to these particular vulnerabilities.

To resolve this, you need to look up each CVE at Red Hat and note the status of the package. In some cases, a backported fix will be available. In others, the package won’t be vulnerable because of various factors (for instance, the vulnerable functionality may not be present in the vendor’s build).

In the case of backported fixes, if you have the same or a newer package as that noted in the advisory, you are fine. You simply note that your package contains a backported fix and use the information from Red Hat as evidence that the fix has been applied.

For packages listed by the vendor as not vulnerable, just provide the information given.

In this particular case, the CVEs are:

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.