Openssh 8.0p1 does not contain the latest cve? Running version rocky 8.10

ucfjerry · January 23, 2025, 3:19pm

The latest CVE for openssh are not installed. What could be the issue? RLSA-2024:0606 was released in February but not listed in my command rpm -q openssh --changelog | grep CVE

sspencerwire · January 23, 2025, 3:30pm

Are you using aarch64 packages? It appears that this only affects those.
https://errata.rockylinux.org/RLSA-2024:0606

ucfjerry · January 23, 2025, 4:35pm

good information sspencerwire. thank you

our security audit is flagging openssh for
CVE-2023-51385
CVE-2023-38408
CVE-2023-48795
when i run the rpm -q openssh --changelog | grep CVE command i see CVE-2023038408 fixed but nothing newer than 2023.

Providing a kill switch for scp to deal with CVE-2020-15778
Related: CVE-2023-38408
Resolves: CVE-2023-38408
CVE-2021-41617 upstream fix (#2008885)
CVE-2020-14145 openssh: Observable Discrepancy leading to an information
New upstream release fixing CVE 2018-15473
CVE-2016-6210: User enumeration via covert timing channel (#1357443)
CVE-2015-8325: ignore PAM environment vars when UseLogin=yes (#1328013)

is the CVE flagged not applicable to my os?

i think 8.10 is still supported but why is it not showing the latest cve fixes? server was just updated. Perhaps the older openssh the new cve does not pertain to ? or am i not getting openssh patches?

nazunalika · January 23, 2025, 5:00pm

This package has long since been superseded by openssh-8.0p1-25.el8_10, which contains the fixes for the CVE’s your scanner is saying you’re affected by.

These CVE’s were fixed in 8.0p1-22 and 8.0p1-23, addressing terrapin and metasymbol injection.

This was very clearly addressed in 8.0p1-18, as noted by the change log.

As noted earlier, openssh-8.0p1-25.el8_10 has long since superseded the versions of packages those CVE’s were originally fixed in, and thus the fixes are there. Please work with your auditors or the creators of your software/scanner to fix these false positives.

ucfjerry · January 23, 2025, 5:38pm

Hi nazunalika. Thank you for the feedback.
Is there a url for the openssh version im running change log that i can review with my infosec team?

nazunalika · January 23, 2025, 5:50pm

You can find all Rocky Linux 8 openssh packages here.

https://kojidev.rockylinux.org/koji/packageinfo?packageID=346

jlehtone · January 24, 2025, 8:48am

The RPM packages do include change logs, so for installed package one can read the log with:

rpm -q --changelog openssh

One can read logs for non-installed packages too:

dnf changelog openssh

(and could narrow that down to specific, non-latest, version – as long as repo has it or it is installed)

Some packages have very long changelogs, so less or grep come handy.