To keep this thread updated in case anyone else gets the same ‘OpenSSH < 9.x’ vulnerabilities listed in the report from a PCI compliance scan (which is why I asked - probably should have mentioned that in the OP!) - here are the details we eventually sent the PCI company, which they accepted as a verified false-positive.
Apologies for the URL clutter in the below, got an error ‘Sorry, new users can only put 2 links in a post’ when I attempted to post it with normal hyperlinks.
The exact version of OpenSSH installed on the server consists of the packages from the following location: https://repo.almalinux.org/almalinux/8.10/BaseOS/x86_64/os/Packages/
- in particular openssh-8.0p1-25.el8_10.x86_64.rpm
, openssh-server-8.0p1-25.el8_10.x86_64.rpm
.
These are compiled from the sources at: https://git.almalinux.org/rpms/openssh/src/tag/imports/c8/openssh-8.0p1-25.el8_10
See in particular the following included patches, backported from newer versions of OpenSSH, named after the CVEs they fix:
https://git.almalinux.org/rpms/openssh/src/tag/imports/c8/openssh-8.0p1-25.el8_10/SOURCES/openssh-8.7p1-upstream-cve-2021-41617.patch
https://git.almalinux.org/rpms/openssh/src/tag/imports/c8/openssh-8.0p1-25.el8_10/SOURCES/openssh-9.3p1-upstream-cve-2023-38408.patch
https://git.almalinux.org/rpms/openssh/src/tag/imports/c8/openssh-8.0p1-25.el8_10/SOURCES/openssh-9.6p1-CVE-2023-48795.patch
https://git.almalinux.org/rpms/openssh/src/tag/imports/c8/openssh-8.0p1-25.el8_10/SOURCES/openssh-9.6p1-CVE-2023-51385.patch
The bug report of CVE-2023-51384 (https://bugzilla.redhat.com/show_bug.cgi?id=2255268
) references the following code that introduces the vulnerability: https://github.com/openssh/openssh-portable/commit/881d9c6af9da4257c69c327c4e2f1508b2fa754b
This code is not present in the sources of openssh-8.0p1-25.el8_10 in the AlmaLinux 8.10 release (original openssh-8.0p1.tar.gz with matching SHA1 checksum (https://git.almalinux.org/rpms/openssh/src/tag/imports/c8/openssh-8.0p1-25.el8_10/.openssh.metadata
) and PGP signature (https://git.almalinux.org/rpms/openssh/src/branch/c8/SOURCES/openssh-8.0p1.tar.gz.asc
) plus patches in the repository linked above).
CVE-2019-16905 (https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-16905
) requires OpenSSH to be compiled with XMSS key support using the WITH_XMSS macro (https://ssd-disclosure.com/ssd-advisory-openssh-pre-auth-xmss-integer-overflow/
) (i.e. -DWITH_XMSS compiler
flag) which is not present in the build specification for openssh-8.0p1-25.el8_10 in the AlmaLinux 8.10 release (https://git.almalinux.org/rpms/openssh/src/branch/c8/SPECS/openssh.spec
).
The sources linked above were built into the AlmaLinux 8.10 release as can be seen in this entry of the AlmaLinux Build System: https://build.almalinux.org/build/16589
More information on the AlmaLinux Build System can be found in the AlmaLinux Build System documentation and wiki: https://github.com/AlmaLinux/build-system
https://github.com/AlmaLinux/build-system/wiki/
I also included terminal output from the server of OS info as seen in the /etc/os-release
file, information of all installed OpenSSH packages and SHA1 checksums of all files included in each, and the resolved URLs of the packages in the repos used by the server, using the following commands (may be different on your server’s OS):
cat /etc/os-release
dnf repoquery --info --installed openssh*
dnf repoquery --location openssh*
dnf repoquery -l openssh | xargs sha1sum
dnf repoquery -l openssh-clients | xargs sha1sum
dnf repoquery -l openssh-server | xargs sha1sum
Hope that helps anyone else currently having fun with PCI compliance reports.
– Joe