@Nono Hi and welcome to the Forum 
For openSUSE you should be over at https://forums.opensuse.org/ 
Anyway, CVE’s etc are backported to older versions, just like SLE, that is why security scanners don’t function when looking at version numbers as it’s not applicable;
rpm -q openssh --changelog | grep -E "CVE-2021-41617|CVE-2016-20012"
- Add openssh-bsc1190975-CVE-2021-41617-authorizedkeyscommand.patch
(bsc#1190975, CVE-2021-41617), backported from upstream by
I suspect the one for 2016 is not applicable for the released version…
You can also head over to https://www.suse.com/security/cve/index.html
The second one was disputed https://www.suse.com/security/cve/CVE-2016-20012.html and resolved.