Hello,
I start with openSUSE with leap 15.5 and i check version of openssh, is 8.4p1
Question: this version is very old and CVE below are present, how to update openssh or patch it
(cve) CVE-2021-41617 – (CVSSv2: 7.0) privilege escalation via supplemental groups
(cve) CVE-2016-20012 – (CVSSv2: 5.3) enumerate usernames via challenge response
Can you help me ?
Nono
@Nono Hi and welcome to the Forum
For openSUSE you should be over at https://forums.opensuse.org/
Anyway, CVE’s etc are backported to older versions, just like SLE, that is why security scanners don’t function when looking at version numbers as it’s not applicable;
rpm -q openssh --changelog | grep -E "CVE-2021-41617|CVE-2016-20012"
- Add openssh-bsc1190975-CVE-2021-41617-authorizedkeyscommand.patch
(bsc#1190975, CVE-2021-41617), backported from upstream by
I suspect the one for 2016 is not applicable for the released version…
You can also head over to https://www.suse.com/security/cve/index.html
The second one was disputed https://www.suse.com/security/cve/CVE-2016-20012.html and resolved.