Why is the Openssh version in Red Hat Enterprise Linux older and not up to date with upstream?
Environment
- Red Hat Enterprise Linux 6
- Red Hat Enterprise Linux 5
- Red Hat Enterprise Linux 4
Issue
- Due to a security audit the security officer mentioned that the current latest version of
OpenSSHis vulnerable. Therefore there is a need to upgradeOpenSSHfrom 4.3 to 5.2 or greater. - Vulnerability scan is identifying a weakness with
OpenSSLversion shipped with a RHEL system. - Need to upgrade
OpenSSHfrom 4.3 to 5.2 or greater in Red Hat Enterprise Linux
Resolution
- The current version of
OpenSSHin Red Hat is as secure as the upstream version. All known vulnerabilities have been backported and patched to the current version. Any new exploit once reported is immediately worked on and a patch released by the security response team. - The General and security advisories released to date for RHEL 5 can be found here.
- See the following article on how security patches are backported from the upstream version : http://redhat.com/security/updates/backporting
- The latest
OpenSSHversion can be installed from third party repositories. But this is not supported and more importantly, you will NOT receive any future security updates from Red Hat for this package. - Also see : After an upstream project has released a newer version of a package when will the package on a Red Hat Enterprise Linux System be updated to this version?
Root Cause
- Security vulnerability assessment is performed solely based on the major
OpenSSHversion shipped with RHEL.
Diagnostic Steps
- The latest
OpenSSHversion available in Red Hat Enterprise Linux 5 is version 4.3. - Although, there is a later version available in upstream, all security patches are back ported to the current version in Red Hat and made available through Errata updates.
- To maintain the API/ABI compatibility between packages, and to ensure the program meets Red Hat standards, it is not possible to follow upstream changes. Between every revision there are drastic codebase changes which add/remove functionality. On many occasions this breaks compatibility with other programs, which are forced to upgrade as well.
To avoid this situation, once a stable upstream version is chosen to be included in RHEL, only critical updates are applied which don't break other applications.
- This link gives a good overview on Red Hat security policies: http://redhat.com/security
- If the CVE number for a particular vulnerability is known, check if a fix is released on the following link : http://www.redhat.com/security/data/cve
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Close
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.