Upgrade openssh to 9.3p2

os version: 9.2 (Blue Onyx)

i need to upgrade the openssh from OpenSSH_8.7p1 to OpenSSH_9.3p2 because of CVE-2023-38408
we installed depend packages Development Tools , zlib-devel , openssl-devel , pam-devel , libselinux-devel ,
wget -c https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.3p2.tar.gz
./configure --with-pam --with-selinux --with-privsep-path=/var/lib/sshd/ --sysconfdir=/etc/ssh
make install
and restarted sshd
still the version is OpenSSH_8.7p1, OpenSSL 3.0.7 1 Nov 2022

can you please help how to upgrade openssh to 9.3p2 or can you provide openssh 9.3p2 patch for rocky 9.2

1 Like

First, one does not mess with Enterprise Linux content. A vital point of package management is that the manager tool knows what is in the system and source installs are not known in RPM-based system.

As long as Rocky is bug-for-bug compatible with RHEL it has practically same packages as RHEL.
To get new package thus requires that Red Hat releases something new.

The current state shown in cve-details is that EL9 is Affected – now patched package yet. That page does propose mitigations:


Remote exploitation requires that the agent was forwarded to an attacker-controlled system.

Exploitation can also be prevented by starting ssh-agent(1) with an empty PKCS#11/FIDO allowlist (ssh-agent -P ‘’) or by configuring an allowlist that contains only specific provider libraries.
So disable agent forwarding or restrict ssh-agent options.

Those said, you ran configure with options with-privsep-path and sysconfdir. (Btw, EL9’s sshd does not seem to have/use /var/lib/sshd/ at all.)

  1. Doesn’t that leave install prefix to default (usually /usr/local)?
  2. Systemd (re)starts sshd.service with unit file. Was it modified to use the new binary, (if the build did not overwrite the /usr/sbin/sshd)?

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.