Centos 7 and OpenSSH

Sanjar · Post by **Sanjar** » 2022/10/26 09:14:29

Hello, I am new in Linux. I have centos 7 and OpenSSH 7.4p1-22.el7_9.x86_64. Is it possible to update this version on centos 7
Thanks

Post by **TrevorH** » 2022/10/26 10:08:21

Possible? Well, yes, given enough effort anything is possible.

Advisable? No.

Red Hat regularly release patches to fixes security problems and among the things they do is fix any security bugs that are announced. So even though openssh 7.4p1 may not be the latest greatest version available, it is still secure.

If you go outside the packages supplied by CentOS then you will not receive timely security updates to those packages so updating openssh to a newer version as a one off may leave you more insecure than you were before.

Please see https://access.redhat.com/security/updates/backporting/ for information on backporting of security fixes and features in CentOS and RHEL. Additionally https://access.redhat.com/solutions/2074 may also be of use.

Sanjar · Post by **Sanjar** » 2022/10/26 10:44:30

TrevorH wrote: ↑
2022/10/26 10:08:21
Possible? Well, yes, given enough effort anything is possible.

Advisable? No.

Red Hat regularly release patches to fixes security problems and among the things they do is fix any security bugs that are announced. So even though openssh 7.4p1 may not be the latest greatest version available, it is still secure.

If you go outside the packages supplied by CentOS then you will not receive timely security updates to those packages so updating openssh to a newer version as a one off may leave you more insecure than you were before.

Please see https://access.redhat.com/security/updates/backporting/ for information on backporting of security fixes and features in CentOS and RHEL. Additionally https://access.redhat.com/solutions/2074 may also be of use.

The problem is in vulnerabilities that we found. And scanner told that we have problems with ssh

Post by **TrevorH** » 2022/10/26 11:09:00

The problem is in vulnerabilities that we found. And scanner told that we have problems with ssh

That is very likely to be problems in the scanner not the openssh version. If you can supply some of the CVE numbers it complains about then you can usually see if they are fixed by looking in the output from rpm -q --changelog openssh - which if you run it you can see the latest change was

* Thu Sep 30 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 7.4p1-22 + 0.10.3-2
- avoid segfault in Kerberos cache cleanup (#1999263)
- fix CVE-2021-41617 (#2008884)

You will be in more trouble if you replace the distro version not less.

jclambert1 · Post by **jclambert1** » 2023/07/24 12:50:15

Not any longer... There seems to be a new threat for any version < 9.3p1.

https://blog.qualys.com/vulnerabilities ... -ssh-agent

Post by **TrevorH** » 2023/07/24 13:47:47

I'd suggest watching https://access.redhat.com/security/cve/CVE-2023-38408 for news on what RH aim to do about this.

spawarbabu · Post by **spawarbabu** » 2023/08/04 14:50:06

Do we have patches released for CVE-2023-38408

spawarbabu · Post by **spawarbabu** » 2023/08/04 14:50:57

Do we have patches released for Centos 7 , As redaht release the openssh packages for CVE-2023-38408

Post by **TrevorH** » 2023/08/04 15:31:07

It's not out yet but I just prodded the maintainer to build it. For some reason the automatic mail that comes out telling us of updates did not list this one.

Post by **TrevorH** » 2023/08/04 16:31:35

I have checked the patch backlog and we are 3 (that I know of) that are not out yet: there is the openssh update for CVE-2023-38408, there is an iperf3 update from 31/07 and there is a firefox update from today. All 3 have been submitted to the builders and hopefully should be out soon. Firefox is the most likely one to be delayed as every build seems to introduce new and inventive ways to break itself.

CentOS