# Updating OpenSSH for PCI Compliance



## SuicideApple (Jul 27, 2020)

Hello all,

I am currently running a FreeBSD 12.1 server with OpenSSH ver 7.8. I have attempted to run and succeded in running freebsd-update fetch/install and my OpenSSH refuses to update. My PCI test claims I require at least 8.1, any ideas?


----------



## SirDice (Jul 27, 2020)

Your PCI  compliancy test is braindead. The version we have in the base receives proper security updates, but the version number will stay the same.

To give you an example of how braindead that test is, on RHEL8 OpenSSH is 8.0. On RHEL7 it is 7.4.  So according to your tests those aren't PCI compliant either? I'm quite sure Red Hat has a very different opinion of that.


----------



## rafael_grether (Dec 30, 2021)

SIrDice,

I was looking on the forum, and I found this topic more similar to my question.
On FreeBSD 13, my OpenSSH version is 7.9p1

Theoretically, by version, I'm vulnerable to important security issues like CVE-2019-6111 and CVE-2019-6110.
This was also pointed out by some security scanners.

Are you saying that despite the version number, OpenSSH 7.9 (installed on base system) is fully security patched?
It makes sense. Otherwise FreeBSD 13 would not be released with this version of OpenSSH.

So, there is no need to install OpenSSH Portable.

Thanks,
Grether


----------



## richardtoohey2 (Dec 30, 2021)

Looks like a fix for 6111 was applied to 12.0:

e.g. https://www.freebsd.org/security/advisories/FreeBSD-EN-19:10.scp.asc

This article makes it _look_ as though still an issue on 12.2: https://www.adminbyaccident.com/freebsd/how-to-freebsd/how-to-patch-openssh-in-freebsd-12-2/

But not sure if the tool he is using is string-matching on the version of OpenSSH rather than actually checking if the vulnerability is actually present.

Other CVEs fixed in the same commit:






						234965 – scp client multiple vulnerabilities (openssh in base/ports affected: CVE-2018-20685 CVE-2019-6111 CVE-2019-6109,6110)
					






					bugs.freebsd.org
				




So in theory the answer to your question is yes, it should be fine in 13.0, but would need more digging to be utterly sure.


----------

