diff --git a/etc/kayobe/dnf.yml b/etc/kayobe/dnf.yml
index effe18856..e7dcf1c65 100644
--- a/etc/kayobe/dnf.yml
+++ b/etc/kayobe/dnf.yml
@@ -122,6 +122,7 @@ dnf_custom_repos_rocky_9:
     file: Rocky-SIG-Security-Common
     gpgkey: "{{ rocky_9_sig_security_gpg_key }}"
     gpgcheck: yes
+    includepkgs: "openssh*"
     username: "{{ stackhpc_repo_mirror_username | default(omit, true) }}"
     password: "{{ stackhpc_repo_mirror_password | default(omit, true) }}"
 
diff --git a/releasenotes/notes/security-common-openssh-6fbd5a1e95fd66ae.yaml b/releasenotes/notes/security-common-openssh-6fbd5a1e95fd66ae.yaml
new file mode 100644
index 000000000..7c2892c80
--- /dev/null
+++ b/releasenotes/notes/security-common-openssh-6fbd5a1e95fd66ae.yaml
@@ -0,0 +1,6 @@
+---
+security:
+  - |
+    Enables the Rocky Linux 9 SIG Security Common repository, which provides
+    updated OpenSSH packages addressing CVE-2024-6387 (regreSSHion). Other
+    packages available in this repository are currently ignored.