Do i need to update SSH version?

Hey folks,

I have a rocky linux 8.8 running on my local network, i saw some buzz about the CVE-2023-38408 and logged into my server to see the ssh version using ‘ssh -V’, i got the following result.

OpenSSH_8.0p1, OpenSSL 1.1.1k FIPS 25 Mar 2021

In that case, the ssh is at version 8.0p1, vulnerable to the exploit, so i ran a yum update to see if the ssh package would be updated but it wasnt.

Is that a normal thing or should i update the package manually? If i should update it manually, how should i do that?

Thanks in advance!

Manual upgrades are never recommended. Users will need to wait for the fixes to become available. cve-details / 2224173 – (CVE-2023-38408) CVE-2023-38408 openssh: Remote code execution in ssh-agent PKCS#11 support

1 Like

@John-C @nazunalika is absolutely correct about waiting for the patch. When it comes out, your OpenSSH version will probably not change, or not much, but when you run:

rpm -q openssh --changelog | grep CVE

You will see the CVE in the listing, and at that point you will know that your version is patched. There’s no patch yet, so keep an eye on the bug report that @nazunalika posted and you should see the status of it change when the patch has been made. There will be a little lag between the patch happening and it appearing in Rocky Linux.


1 Like

describes some ways to mitigate the issue (before patches arrive).

1 Like

Hey all,

Interesting, i’ll not touch anything and wait for fixes, since this CVE doesnt affect me that much.

Thanks for all responses!