Get the most out of your Centmin Mod LEMP stack
Become a Member

Upgrade Upgrade openSSH to 9.7

Discussion in 'Install & Upgrades or Pre-Install Questions' started by Andy, Apr 23, 2024.

  1. Andy

    Andy Active Member

    532
    87
    28
    Aug 6, 2014
    Ratings:
    +126
    Local Time:
    10:38 PM
    Please fill in any relevant information that applies to you:
    • CentOS Version: i.e. AlmaLinux 9.3
    • Centmin Mod Version Installed: i.e. 124.00stable or 130.00beta01
    • Nginx Version Installed: i.e. 1.25.5
    • PHP Version Installed: i.e. 8.2
    • MariaDB MySQL Version Installed: i.e. 10.3.xx or 10.4.xx or 10.6.xx
    • When was last time updated Centmin Mod code base ? : i.e. run centmin.sh menu option 23 submenu option 2 or cmupdate command
    • Persistent Config: Do you have any persistent config file options set in /etc/centminmod/custom_config.inc ? You can check via this command:
      Code (Text):
      cat /etc/centminmod/custom_config.inc
      

    I need to do a server scan to satisfy requirements by Clover because I process credit card on my site.
    One of the many items they want me to address is to upgrade the server open SSH version to the latest version which is 9.7
    Currently, I only have OpenSSH_8.7p1 installed.
    What is the correct way to upgrade this on Almalinux?

     
  2. eva2000

    eva2000 Administrator Staff Member

    51,988
    11,976
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,473
    Local Time:
    1:38 PM
    Nginx 1.25.x
    MariaDB 10.x
    AlmaLinux/Rocky Linux and RedHat all backport patches into their YUM RPMs they provide while keeping the versions the same most of the time. OpenSSH is one these YUM packages. So there is no OpenSSH 9.x upgrade route that would work without breaking your server.

    excerpt of the change log for AlmaLinux OpenSSL 8.7p1
    Code (Text):
    rpm -qa --changelog openssh | head -n21
    * Mon Jan 08 2024 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.7p1-34.3
    - rebuilt
    
    * Mon Jan 08 2024 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.7p1-34.2
    - Fix Terrapin attack
      Resolves: RHEL-19764
    
    * Thu Dec 21 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.7p1-34.1
    - Fix Terrapin attack (CVE-2023-48795)
      Resolves: RHEL-19764
    - Forbid shell metasymbols in username/hostname (CVE-2023-51385)
      Resolves: RHEL-19822
    
    * Thu Jul 20 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.7p1-34
    - Avoid remote code execution in ssh-agent PKCS#11 support
      Resolves: CVE-2023-38408
    
    * Tue Jun 13 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.7p1-33
    - Allow specifying validity interval in UTC
      Resolves: rhbz#2115043
    
    


    Example Jan 8 changelog is for CVE-2023-51385 : In ssh in OpenSSH before 9.6, OS command injection might occur if a user name or host name has shell metacharacters, and for OpenSSH <9.6 security fixes backported to OpenSSH 8.7p1. So AFAIK OpenSSH 8.7p1 has security posture equivalent to OpenSSH 9.6 at least oss-security - Announce: OpenSSH 9.6 released

    OpenSSH 9.7 was a bug fix and new feature release with no security updates AFAIK OpenSSH: Release Notes