i need to upgrade the openssh from OpenSSH_8.7p1 to OpenSSH_9.3p2 because of CVE-2023-38408
we installed depend packages Development Tools , zlib-devel , openssl-devel , pam-devel , libselinux-devel ,
wget -c https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.3p2.tar.gz
./configure --with-pam --with-selinux --with-privsep-path=/var/lib/sshd/ --sysconfdir=/etc/ssh
make
make install
and restarted sshd
still the version is OpenSSH_8.7p1, OpenSSL 3.0.7 1 Nov 2022
can you please help how to upgrade openssh to 9.3p2 or can you provide openssh 9.3p2 patch for rocky 9.2
First, one does not mess with Enterprise Linux content. A vital point of package management is that the manager tool knows what is in the system and source installs are not known in RPM-based system.
As long as Rocky is bug-for-bug compatible with RHEL it has practically same packages as RHEL.
To get new package thus requires that Red Hat releases something new.
The current state shown in cve-details is that EL9 is Affected – now patched package yet. That page does propose mitigations:
Mitigation
Remote exploitation requires that the agent was forwarded to an attacker-controlled system.
Exploitation can also be prevented by starting ssh-agent(1) with an empty PKCS#11/FIDO allowlist (ssh-agent -P ‘’) or by configuring an allowlist that contains only specific provider libraries.
So disable agent forwarding or restrict ssh-agent options.
Those said, you ran configure with options with-privsep-path and sysconfdir. (Btw, EL9’s sshd does not seem to have/use /var/lib/sshd/ at all.)
Doesn’t that leave install prefix to default (usually /usr/local)?
Systemd (re)starts sshd.service with unit file. Was it modified to use the new binary, (if the build did not overwrite the /usr/sbin/sshd)?