Like all major Linux distributions, Ubuntu backports security and bug fixes so that updates do not break applications due to version incompatibilities.
Ubuntu only packages the latest versions of software when there is a new Ubuntu release. Then, for the life of each Ubuntu release, they keep software patched to ensure security and stability without introducing breaking changes.
The table below lists the OpenSSH version installed on each Ubuntu version. As long as your server's Ubuntu version has not reached its end of life, the OpenSSH installation on your server is being regularly updated with security patches.
| Ubuntu Version | OpenSSH Version | Changelog |
|---|---|---|
| Ubuntu 24.04 | OpenSSH 9.6 | changelog |
| Ubuntu 22.04 | OpenSSH 8.9 | changelog |
| Ubuntu 20.04 | OpenSSH 8.2 | changelog |
| Ubuntu 18.04 | OpenSSH 7.6 | changelog |
| Ubuntu 16.04 | OpenSSH 7.2 | changelog |
| Ubuntu 14.04 | OpenSSH 6.6 | changelog |
If you receive a PCI compliance warning telling you to update to the most recent version of OpenSSH, your PCI scanner is most likely showing a false positive.
You do not and should not take any action to change your server.
Instead, let the company performing the PCI scan know the version of Ubuntu the server is running and the version of the OpenSSH package installed on the server. You can get this information using the following commands:
lsb_release -r dpkg --list openssh-server
You may also want to provide the company performing the scan with a link to the OpenSSH changelog for your server's Ubuntu version (see the table above).