openssh not uptodate on SLES15

SUSE Linux Enterprise Server SLES Updates
1

Hello.
I have a SLES15 system (with no SP installed because it is not accepted and certified by applications.)
openssh is version OpenSSH_7.6p1 so it seems to be concerned by CVE-2019-6110
but I found a patch that correct this CVE ; it is SUSE-SLE-Module-Basesystem-15-2019-126
When I try to install it : it is always installed :smile:
So am I protected

zypper in -t patch SUSE-SLE-Module-Basesystem-15-2019-126

Refreshing service ‘Basesystem_Module_15_x86_64’.
Refreshing service ‘Desktop_Applications_Module_15_x86_64’.
Refreshing service ‘Development_Tools_Module_15_x86_64’.
Refreshing service ‘Legacy_Module_15_x86_64’.
Refreshing service ‘SUSE_Linux_Enterprise_Server_15_x86_64’.
Refreshing service ‘Server_Applications_Module_15_x86_64’.
Loading repository data…
Reading installed packages…
‘patch:SUSE-SLE-Module-Basesystem-15-2019-126’ is already installed.
Resolving package dependencies…

Nothing to do.
So am I protected against the openssh issue referenced in CVE-2019-6110 with my openssh in version 7.6p1 ?
Thank you.
Emmanuel

2

Hi and welcome to the Forum :slight_smile:
You can verify the package and CVE via SUSE Customer Center under the patches tab and enter the CVE reference;
https://scc.suse.com/patches

You can also select the CVE link for more info;
https://www.suse.com/security/cve/CVE-2019-6110/

In your case openssh-7.6p1-9.13.1 has been updated for this CVE.

3

Thank you for helping. I see in the CVE link that the Patchnames for this CVE is SUSE-SLE-Module-Basesystem-15-2019-126 ; so if zypper tells “is already installed”, it is OK for me ?
Or should I install another package ? openssh-7.6p1-9.13.1 ?
I found https://www.suse.com/fr-fr/support/update/announcement/2019/suse-su-20190126-1/
but it is also installed :

zypper in -t patch SUSE-SLE-Module-Basesystem-15-2019-126=1

Refreshing service ‘Basesystem_Module_15_x86_64’.
(…)
Loading repository data…
Reading installed packages…
‘patch:SUSE-SLE-Module-Basesystem-15-2019-126 = 1’ is already installed.
Resolving package dependencies…

Nothing to do.

4

Hi
Use zypper if openssh to see the version installed, but if those patches say they are installed, then you should be good to go.

5

Thank you !
Here is the result :smile: Information for package openssh:
Repository : SLE-Module-Basesystem15-Updates
Name : openssh
Version : 7.6p1-9.32.1
So, it seems good.

6

Hi
Indeed it does :slight_smile:

7

Good news, thanks a lot for your help.