You do not need to update either. RedHat (and by extension CentOS) back-port fixes into known stable version of applications and libraries. The versions that they provide via up2date or yum contain the latest bug fixes for the vulnerabilities found in such apps. There's no need to upgrade either. In fact, doing so can make your server less secure.
If, for some reason, you decide to do so, then you should make sure that you never allow yum to update openssl or openssh again as it will likely break them both, so they should be in your exclude list in yum.conf. You then are responsible for maintaining whatever uses the openssl libraries and openssh itself and you have to keep them up to date and watch the security lists constantly and upgrade in a timely manner.
If you choose to leave them alone, RedHat and CentOS do all that for you and react much more quickly as they are usually forewarned of imminent disclosure and have usually released secured back-ported versions - that's the whole point of an Enterprise OS.