updating SSH version 7.4pl to 7.5 on Amazon linux 2

I got one error while scanning My Amazon linux 2 Ec2 instance OpenSSH < 7.5 22 / tcp / ssh Medium 5.0 The vulnerability is not included in the

NVD

OpenSSH < 7.6 22 / tcp / ssh

CVE-2017-15906

Medium 5.0

Patch Report 0 / tcp /

but there is no update for ssh now in amazon linux 2 .

is there any other method for updating the ssh.

Solution 1:

I make a slightly longer and similar argument here but, for as long as your (enterprise) Linux distribution is supported simply applying OS updates (i.e. with [sudo] yum update) should keep your OS secure and you should neither want to nor need to upgrade to specific upstream version number to fix a known security issue.

Search for the CVE number on the Amazon Linux Security Center https://alas.aws.amazon.com/ and you'll find that it has been addressed as https://alas.aws.amazon.com/ALAS-2018-1018.html and that you should run yum update openssh and be done with.

Check in the package Changelog to see which fixes have been backported for instance with:

rpm -qv --changelog openssh-server

Which on my Centos 7 shows among others that I run Open SSH server 7.4 but that despite that CVE-2017-15906 marks every version below OpenSHH 7.6 as vulnerable a fix has been applied and this system is no longer susceptible :

rpm -qv --changelog openssh-server    
* Fri Nov 24 2017 Jakub Jelen <[email protected]> - 7.4p1-16 + 0.10.3-2
- Fix for CVE-2017-15906 (#1517226)
...