A customer is asking whether fixes for several vulnerabilities have been applied to OpenSSH (appears to be version OpenSSH_8.7p1) on the new Alma Linux 9.7. Using "rpm -q --changelog openssh-server", I was able to find changelog notes that indicate some have been fixed but several remain:
- 2008-3444 - CRIT (OpenSSH) - Trojan horse code in non-official repo
- 2023-51767 - HIGH (OpenSSH 9.6) - DRAM row hammer vulnerability
- 2021-41617 - HIGH (OpenSSH <8.8)
- 2025-32728 - MED (OpenSSH <10.0)
- 2021-36368 - LOW (OpenSSH <8.9)
#1 can probably be checked off "OK" if the packages in Alma Linux are from official RedHat (Fedora?) repo.
#2 is hardware related so not sure what is possible.
In general, is there a straight-forward way to determine whether fixes for particular CVE's have been back-ported to the applicable software installed on the Alma Linux servers?
Thank you. - Dan
