openssh not uptodate on SLES15

Hello.
I have a SLES15 system (with no SP installed because it is not accepted and certified by applications.)
openssh is version OpenSSH_7.6p1 so it seems to be concerned by CVE-2019-6110
but I found a patch that correct this CVE ; it is SUSE-SLE-Module-Basesystem-15-2019-126
When I try to install it : it is always installed :smile:
So am I protected

zypper in -t patch SUSE-SLE-Module-Basesystem-15-2019-126

Refreshing service 'Basesystem_Module_15_x86_64'.
Refreshing service 'Desktop_Applications_Module_15_x86_64'.
Refreshing service 'Development_Tools_Module_15_x86_64'.
Refreshing service 'Legacy_Module_15_x86_64'.
Refreshing service 'SUSE_Linux_Enterprise_Server_15_x86_64'.
Refreshing service 'Server_Applications_Module_15_x86_64'.
Loading repository data...
Reading installed packages...
'patch:SUSE-SLE-Module-Basesystem-15-2019-126' is already installed.
Resolving package dependencies...

Nothing to do.
So am I protected against the openssh issue referenced in CVE-2019-6110 with my openssh in version 7.6p1 ?
Thank you.
Emmanuel

Comments

  • malcolmlewismalcolmlewis Knowledge Partner
    edited July 23

    Hi and welcome to the Forum :)
    You can verify the package and CVE via SUSE Customer Center under the patches tab and enter the CVE reference;
    https://scc.suse.com/patches

    You can also select the CVE link for more info;
    https://www.suse.com/security/cve/CVE-2019-6110/

    In your case openssh-7.6p1-9.13.1 has been updated for this CVE.

  • Thank you for helping. I see in the CVE link that the Patchnames for this CVE is SUSE-SLE-Module-Basesystem-15-2019-126 ; so if zypper tells "is already installed", it is OK for me ?
    Or should I install another package ? openssh-7.6p1-9.13.1 ?
    I found https://www.suse.com/fr-fr/support/update/announcement/2019/suse-su-20190126-1/
    but it is also installed :

    zypper in -t patch SUSE-SLE-Module-Basesystem-15-2019-126=1

    Refreshing service 'Basesystem_Module_15_x86_64'.
    (...)
    Loading repository data...
    Reading installed packages...
    'patch:SUSE-SLE-Module-Basesystem-15-2019-126 = 1' is already installed.
    Resolving package dependencies...

    Nothing to do.

  • malcolmlewismalcolmlewis Knowledge Partner

    Hi
    Use zypper if openssh to see the version installed, but if those patches say they are installed, then you should be good to go.

  • Thank you !
    Here is the result :smile: Information for package openssh:
    Repository : SLE-Module-Basesystem15-Updates
    Name : openssh
    Version : 7.6p1-9.32.1
    So, it seems good.

  • malcolmlewismalcolmlewis Knowledge Partner

    Hi
    Indeed it does :)

  • Good news, thanks a lot for your help.

Sign In or Register to comment.