Our flagship product Univview is used by several SME's to collect recurring payments. We deliver this product along with a complete site (the site is usually free of charge, the Uniview product is priced) to our clients. Before we handover we conduct a vulnerability scan using one of the online scanners. During one of these scans we noticed something peculiar, The scanner reported OpenSSH "X SECURITY" Bypass Vulnerability on SSH on one of our Centos 7.2 VPS's.
Such a report would freak out our Client's IT security teams.
We found this rather strange because Red Hat would never ignore such a vulnerability. On closer inspection we found that the scanner was going merely by the version numbers of the packages. If you are in similar situation you should know its rather naive for vulnerability scanners and the IT security team to go by version number alone instead they should check for the change logs or CVE ID's. You can ask the IT security team or the audit team which CVE ID's worry them, If they don't have an answer then its time to change your IT security vendor. If they do provide you a number, in our case we were told that CVE ID: CVE-2015-5352 was of concern, check the change logs in the package manager to see if a backport fix has been made by the OpenSSH developers. In our case we used rpm -q openssh --changelog | grep CVE-2015-5352 and we found that there was indeed a backport from 6.9 to 6.1 to fix the vulnerability. (Change the CVE number as appropriate before running this command on your server). If you are more inclined to using a GUI then visit the Centos bugzilla database at https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-5352 (change the CVE id as appropriate) to check the status.
Most vulnerability scanners do their check by scanning the version strings in configuration files and IT security teams blindly repose faith in these reports. Most scanners will tell you that a specific version is vulnerable based on its internal database and then give you an upgrade path.
Try this little exercise. On your Apache server change the ServerTokens Major and watch your vulnerability scanner go bersek in reporting vulnerabilities even though you are on an upstream version.
Its time that IT security teams looked beneath the hood rather than taking such vulnerability reports for granted. It would help avoid expensive upgrades for their organisation