Hello team,
I just run into these CVEs for OpenSSH package during a security scan. All of them a flagged high risk. In sum it would be required to upgrade to OpenSSH 9.9p2 to be clean wrt. existing CVEs. A search for a RPM did not return any results. Are there any plans to provide an official RPM for OpenSSH 9.9p2 to address these issues?
Building the source package of OpenSSH 9.9p2 doesn’t cause any issue as it seems. But using that build directly would certainly mess up all dependencies …
Welcome to the forums.
No, there won’t be any rebases of openssh. Generally CVE’s are backported into openssh. Rocky Linux is also a derivative of Red Hat Enterprise Linux, and thus generally follows close to their release patterns and versions.
As for the CVE’s listed in the topic, here are some links that may be helpful to you:
CVE-2023-51767: Marked as will not fix - 3656 – How to fix row hammer attacks?
CVE-2023-51384: Not affected
CVE-2025-26465: Not patched at this time - Note: VerifyHostKeyDNS is typically disabled by default.
If you rebuilt the openssh from Fedora, that may be fine, though we generally do not recommend doing this. This means you are on the hook for keeping it up to date with bug and security fixes. We normally recommend to stay on the base packages to ensure stability and consistency of your system and its components.
You may want to report the above links to the vendor of your security software or relevant information security team. If the security software is only looking at the version of openssh (via a TCP connection), and not at the actual RPM package version, this can and will report false positives.
Hope this helps.
Hello Luis,
Thanks for your quick reply and the included background information. That really helps a lot and I helps me question the security scan report!!
You made my day!