OpenSSH version in v20240703 build AMI

Question

OpenSSH version in v20240703 build AMI

guitarrapc opened this issue 6 months ago · 2 comments

We are building the worker node AI using this repo. After running the scan we are getting vulnerabilities in OpenSSH - openssh-8.7p1-8.amzn2023.0.11.aarch64.

Vulnerability Description:

$ rpm -qa | grep openssh
openssh-server-8.7p1-8.amzn2023.0.11.aarch64
openssh-8.7p1-8.amzn2023.0.11.aarch64
openssh-clients-8.7p1-8.amzn2023.0.11.aarch64

Amazon Linux 2023 version 2023.5.20240701 already include the fix, so could you please support the plan to include this fix into AMI?

reference:
https://docs.aws.amazon.com/linux/al2023/release-notes/relnotes-2023.5.20240701.html
https://alas.aws.amazon.com/AL2023/ALAS-2024-649.html

guitarrapc commented 6 months ago

thanks!

Answer 1 · 2024-07-11T11:03:14.000Z

The ALAS bulletin you’ve linked specifies openssh-8.7p1-8.amzn2023.0.11 as the patched version for CVE-2024-6387. I don’t know what scanner you’re using or why it would think otherwise.

Please open a ticket with AWS Support for security issues 👍