upgrade ssh from SIG/security to fix CVE-2024-6387

Author: sjpb

ansible/bootstrap.yml

@@ -167,6 +167,14 @@
         async: "{{ 30 * 60 }}" # wait for up to 30 minutes
         poll: 15 # check every 15 seconds
         register: updates
+      - name: Install SIG/security release repo
+        dnf:
+          name: rocky-release-security
+      - name: Upgrade openssh
+        dnf:
+          name: openssh\*
+          enablerepo:
+            - security-common
       - name: Ensure update log directory on localhost exists
         file:
           path: "{{ update_log_path | dirname }}"