I am in a situation where we are doing internal PCI scans and one server that is in the scope is a Ubuntu Server 16.04.2 LTS. The latest package for openssh-server is OpenSSH_7.2p2 showed with command ssh -V. The PCI is complaining with some new CVE Bugs/Vulnerabilities
CVE-2016-10009
CVE-2016-10010
CVE-2016-10011
CVE-2016-10012
All of these shows as "needed" when looking at http://people.canonical.com/~ubuntu-security/cve/
As I am pretty new to PCI compliance and scans I wondering how I should proceed to get passed here. I have tried upgrading to OpenSSH 7.5 manually. Though the ssh -V command shows 7.5 the scan is not picking that up and thinks I using 7.2 still. Am i missing something here regarding my manual upgrade and why does my scan program still think that I am using 7.2? And if I cannot upgrade it manually and needs to rely on the backports released in the future, can I argument to pass the internal scan based on that?