I have a Debian 8 server for a customer that is failing a PCI scan, presumably running:
nmap -p 22 -sV customer.edu
which returns
22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u7
This should be easy, given my /etc/apt/sources.list is this:
deb http://mirror.rackspace.com/debian jessie main
deb-src http://mirror.rackspace.com/debian jessie main
deb http://mirror.rackspace.com/debian-security/ jessie/updates main
deb-src http://mirror.rackspace.com/debian-security/ jessie/updates main
deb http://packages.dotdeb.org jessie all
deb-src http://packages.dotdeb.org jessie all
deb http://ftp.us.debian.org/debian/ jessie main contrib non-free
deb-src http://ftp.us.debian.org/debian/ jessie main contrib non-free
deb http://ftp.debian.org/debian jessie-backports main
deb http://security.debian.org/ jessie/updates main contrib non-free
sudo apt-get upgrade openssh-server returns:
Calculating upgrade... openssh-server is already the newest version.
Is there a better way to get the latest OpenSSH server?
I attempted to download it, install its OpenSSL 1.0.2-stable dependency in /usr/local/ but having serious troubles with it failing.
Are my choices to find a better source in apt-get, or attempt to install it and its OpenSSL dependency in /usr/local and manually point systemctl to those binaries?
Best Answer
Document for your auditor the version of the package installed. Reference security updates regarding OpenSSH, in this case from Debian. Possibly cross reference relevant CVEs.
Parsing a version number is fragile. Stable distros generally do not upgrade the version, but apply their own patches.