[CentOS] OpenSSH 8.6/8.6p1 on CentOS Linux release 7.9.2009 (Core)

Wed May 26 13:05:55 UTC 2021
Johnny Hughes <johnny at centos.org>

On 5/25/21 7:31 AM, Kaushal Shriyan wrote:
> On Tue, May 25, 2021 at 5:41 PM Jonathan Billings <billings at negate.org>
> wrote:
> 
>> On Tue, May 25, 2021 at 03:29:51PM +0530, Kaushal Shriyan wrote:
>>> I am running openssh-server-7.4p1-21.el7.x86_64 on CentOS Linux release
>>> 7.9.2009 (Core). Is there a plan to introduce OpenSSH 8.6/8.6p1 version
>>> on CentOS Linux release 7.9.2009?
>>>
>>> #cat /etc/redhat-release
>>> CentOS Linux release 7.9.2009 (Core)
>>> #rpm -qa | grep -i ssh
>>> openssh-clients-7.4p1-21.el7.x86_64
>>> libssh2-1.8.0-4.el7.x86_64
>>> openssh-7.4p1-21.el7.x86_64
>>> openssh-server-7.4p1-21.el7.x86_64
>>> #
>>>
>>> Please guide. Thanks in advance.
>>>
>>> More Info:- https://www.openssh.com/releasenotes.html
>>
>> It's unlikely.  RHEL7/CentOS7 is in maintenance support mode, so no
>> new major feature changes are expected.  Only major security/bug fixes
>> are expected to be introduced.
>>
>> See this chart for more details:
>> https://en.wikipedia.org/wiki/Red_Hat_Enterprise_Linux#Product_life_cycle
>>
>> The version in CentOS 7 isn't simply the version from OpenSSH, many
>> features and securify fixes have been backported in the past, so if
>> there's something in particular you are looking for, please mention
>> it.
>>
>>
> Thanks Jonathan for the reply. I have configured the below SSH
> configuration as part of hardening to address vulnerabilities.
> 
> KexAlgorithms curve25519-sha256,curve25519-sha256 at libssh.org
>> ,diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group-exchange-sha256
>> Ciphers chacha20-poly1305 at openssh.com,aes256-gcm at openssh.com,
>> aes128-gcm at openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
>> MACs hmac-sha2-256-etm at openssh.com,hmac-sha2-512-etm at openssh.com
> 
> 
> Is there a way to validate if the above Key exchange, Cipher and MAC
> algorithms address the vulnerabilities? Please guide. Thanks in advance.

Red Hat uses the Backporting method to address security issues in RHEL
.. and we inherit that method in CentOS:

https://access.redhat.com/security/updates/backporting

If you are looking for a specific vulnerability .. look here:

https://access.redhat.com/security/security-updates/#/

Look up the CVE .. you can find if the issue is relevant, what version
fixes the issue, etc.