My system is vulnerable to OpenSSH Wildcards on AcceptEnv Vulnerability, CVE-2014-2532.
I have tried to update openssh to version 6.6 for centos but I can not get repository[sic] for that version.
/EDIT/
PCI-DSS compliance is a driving factor for this question.
Best Answer
The PCI requirement is to:
Just randomly downloading unsupported alternative software versions is not what you should be doing...
The Vendor Response is:
So no Red Hat fix for now and therefore no CentOS fix either.
The reason for that Low Risk assessment is because the default configuration that is shipped by Red Hat and CentOS does not include wildcard (*) AcceptEnv values.
Now the question is, are you vulnerable because you changed the vendor supplied defaults? If so, can you remove/rewrite your custom AcceptEnv wildcards making your system secure again?
Or is the auditor just triggered by the openssh software version number are you not really vulnerable at all?
Because the latter happens all the time...