So, just in case anyone is confused about RHEL packaging policy: The version stays the same for the life of the release; patches are applied to that version to fix security and stability issues.

Our forums see tons of questions about this, with folks assuming that because they have an "old" version of PHP or Apache or whatever, that it has known security vulnerabilities. When, in reality, an RHEL released package is probably at least as well-vetted for security as the latest release from upstream.

But, in this case, since there is no known exploit (and it is possibly fictional), there's nothing vendors can possibly do about the problem. I suppose vendors could have been quietly notified of the problem, and we'd start seeing new releases rolling out; but you'd see errata on the relevant vendors website. Asking random folks on HN wouldn't be the best course of action for reliable answers.

Anyway, OpenSSH.org has nothing on the subject.

Google seems to agree with it.