I have a rocky linux 8.8 running on my local network, i saw some buzz about the CVE-2023-38408 and logged into my server to see the ssh version using ‘ssh -V’, i got the following result.
OpenSSH_8.0p1, OpenSSL 1.1.1k FIPS 25 Mar 2021
In that case, the ssh is at version 8.0p1, vulnerable to the exploit, so i ran a yum update to see if the ssh package would be updated but it wasnt.
Is that a normal thing or should i update the package manually? If i should update it manually, how should i do that?
@John-C@nazunalika is absolutely correct about waiting for the patch. When it comes out, your OpenSSH version will probably not change, or not much, but when you run:
rpm -q openssh --changelog | grep CVE
You will see the CVE in the listing, and at that point you will know that your version is patched. There’s no patch yet, so keep an eye on the bug report that @nazunalika posted and you should see the status of it change when the patch has been made. There will be a little lag between the patch happening and it appearing in Rocky Linux.