openssh 7.5

Latest response

During a recent security scan on our network, I took hits for having vulnerable openssh packages installed on my RHEL 7.4 servers.

The description from Tenable is:

The solution is to install openssh 7.5 or better but I don't see it available in the RHEL package browser.

Is the RHEL openssh 7.4 version affected by the directory traversal exploit explained above?

Will we see a 7.5 version soon if so?

Thanks for any insight.



Hi Aaron,

As openssh is one of those packages being important for the security of server infrastructures, it gets updated frequently.
From my experience I can tell you that Red Hat Is extremely concerned about security, you can expect the new version soon.
The time it takes until it will be released depends on importance and severity of the security issue and, if RHEL is vulnerable.


This issue only affects OpenSSH Portable's sftp-client when executed on Cygwin, so RHEL or any other Linux distribution is not affected:

Thank you for the clarification.
Now to get our ACAS folks to understand it like that.

R, Aaron

Sounds like your ACAS folks haven't properly/fully set up their ACAS frameworks. Properly set up, ACAS will cross-reference generic CVEs against the vendor-specific database that applies to the scan-target. When so set up, if you've installed the appropriate vendor package-versions - or if the CVE is a "does not apply to platform" - ACAS will greenlight your config (at least for that CVE).

If your ACAS folks haven't configured their scanning system to do that, you may have more to overcome than simply explaining why this particular CVE does not apply. Good luck.


Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.