Multiple CVEs in scan for OpenSSH 8.7 OpenSSH_8.7p1 on 9Stream

[undeadbill]

My latest security scan shows multiple Medium CVEs for OpenSSH that are resolved by moving to OpenSSH v9.2.

Any ideas on when OpenSSH v9.x packages will be released? Current OpenSSH.com release is at v9.3.

If there is some mechanism updating packages to this release aside from compiling my own, please let me know. If there is a non-default feature to CentOS 9Stream that enables this, I'm not aware of it.

[TrevorH]

Any ideas on when OpenSSH v9.x packages will be released?

Almost certainly not until RHEL 10. Are you sure that whatever "scanner" you are using is aware of RHEL backporting policies? RHEL sticks on the same version of packages that were current at the initial release of the x.0 version until EOL. Security fixes are backported by RH to that version.

Check the current status of whatever CVE by plugging the correct number into e.g. https://access.redhat.com/security/cve/CVE-2021-41617

If there is some mechanism updating packages to this release aside from compiling my own,

This is most definitely not recommended.

[jlehtone]

Red Hat describes backporting and version numbers in https://access.redhat.com/solutions/57665
(They even note there that some security scanners do generate false positives.)

You can read some update notes from installed packages. For example, for "openssh":

Code: Select all

rpm -q --changelog openssh | less

That is in addition to what Red Hat says (on the website that TrevorH posted a link to).


Furthermore, do remember that CentOS Stream 9 is a view to packages in development.
Some version of the packages will be released in future RHEL 9 point update, but that
version does not necessarily appear in CS9. Red Hat made RHEL 9.2 beta public yesterday.
Therefore, the next openssh package released to CS9 will be a potential stepping stone on path to RHEL 9.3.

Red Hat will release acute security patches for production systems. That is for RHEL 9.1 and RHEL 9.0 EUS.