I got one error while scanning My Amazon linux 2 Ec2 instance OpenSSH < 7.5 22 / tcp / ssh Medium 5.0 The vulnerability is not included in the
NVD
OpenSSH < 7.6 22 / tcp / ssh
CVE-2017-15906
Medium 5.0
Patch Report 0 / tcp /
but there is no update for ssh now in amazon linux 2 .
is there any other method for updating the ssh.
I make a slightly longer and similar argument here but, for as long as your (enterprise) Linux distribution is supported simply applying OS updates (i.e. with [sudo] yum update) should keep your OS secure and you should neither want to nor need to upgrade to specific upstream version number to fix a known security issue.
Search for the CVE number on the Amazon Linux Security Center
https://alas.aws.amazon.com/ and you'll find that it has been addressed as https://alas.aws.amazon.com/ALAS-2018-1018.html and that you should run yum update openssh and be done with.
Check in the package Changelog to see which fixes have been backported for instance with:
rpm -qv --changelog openssh-server
Which on my Centos 7 shows among others that I run Open SSH server 7.4 but that despite that CVE-2017-15906 marks every version below OpenSHH 7.6 as vulnerable a fix has been applied and this system is no longer susceptible :
rpm -qv --changelog openssh-server
* Fri Nov 24 2017 Jakub Jelen <jjelen@redhat.com> - 7.4p1-16 + 0.10.3-2
- Fix for CVE-2017-15906 (#1517226)
...
