During a security audit, a vulnerability scanner reports that your servers are running OpenSSH 8.4p1, which it flags as vulnerable because the upstream project fixed CVE-2025-12345 in OpenSSH 9.7p1. The distribution vendor has released an updated package named openssh-8.4p1-6.el9 that it states resolves the CVE without changing the upstream version number. Which explanation best describes the vendor's patching approach and why the package is still considered compliant?
The vendor has backported the security patches into the 8.4p1 source, preserving API/ABI stability while the new package release tag (-6.el9) indicates the fix.
The vendor performed a rolling upgrade that replaced OpenSSH 8.4p1 with 9.7p1 but kept the old version string to avoid script breakage.
The vendor is fast-tracking the patch, so the vulnerability will only be removed when the servers are upgraded to OpenSSH 9.7p1 in the next major distribution release.
The vendor applied a live binary hot-patch directly to /usr/bin/sshd outside the package manager, so scanners cannot detect the new code.
The vendor has backported the specific security fixes from the newer upstream release (9.7p1) to the older 8.4p1 code base and issued a new package release (-6.el9). Backporting leaves the upstream version portion of the string unchanged, so scanners that rely only on version comparison may raise false positives. However, the new release tag records that the patches have been applied, and the API/ABI of OpenSSH remains identical, minimizing the risk of breaking existing workloads-an important consideration for compliance on long-term-support distributions.
The other choices are incorrect: fast-tracking would delay the fix until the next major upgrade; a rolling upgrade would replace 8.4p1 with 9.7p1 entirely (and would show the new version); and an in-place binary hot-patch outside the package manager would not be a standard vendor practice and would itself raise compliance concerns.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What does backporting mean in software maintenance?
Open an interactive chat with Bash
What is API/ABI stability, and why is it important for updates?
Open an interactive chat with Bash
Why might vulnerability scanners flag backported packages as vulnerable?
Open an interactive chat with Bash
CompTIA Linux+ XK0-006 (V8)
Security
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
IT & Cybersecurity Package Join Premium for Full Access