SSH version and vulnerability

Question

Hi there. 
 I just noticed a new Vulnerability here: https://www.exploit-db.com/exploits/40888/ 
 as it states any ssh below 7.3 is affected. this includes Sophos UTM 9.4 
 sophos_utm:/ # ssh -v localhost OpenSSH_6.2p2, OpenSSL 1.0.1k 8 Jan 2015 
 Any sign that Sophos is going to update this outdated SSH and SSL?

BAlfson · Answer

I've seen questions like this many times over the years. In most cases, it's easier for the developers to apply a fix to the version that they already have hardened and certified. It's a lot of effort to test, harden and vet a new version. I suspect that this is what's happened here. 
 In any case, as others have suggested, you can change the port so that even the Chinese military wouldn't be looking for an SSH server at your IP. I don't do that because of the following: 
 Certainly, you want access to be as limited as possible. For WebAdmin and Shell Access, I limit the allowed networks to just a few IPs: 
 
 "my_user_name (Address)" if accessing via Remote Access 
 My office IPs 
 My Home IP and that of the local admin(s) 
 Internal IPs of the local admin(s), not "Internal (Network)" 
 Sophos Support IPs are added when a ticket is opened with them 
 
 If you do this, there is virtually zero exposure even if the devs haven't yet applied a fix. 
 Cheers - Bob