[sf-lug] openssh server vulnerability
The Doctor
drwho at virtadpt.net
Mon Jul 1 10:40:54 PDT 2024
On Monday, July 1st, 2024 at 09:06, Akkana Peck <akkana at shallowsky.com> wrote:
> Update your Linux machines, especially servers. There's an ssh race condition --
> actually not new, but a regression of a much earlier bug that had been fixed.
> There's lots of detail at
>
> https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt
There is a good amount of detail here, also:
https://www.openwall.com/lists/oss-security/2024/07/01/3
> I haven't checked on the status of other distros besides Debian.
Arch Linux posted a brief notice that sshd needs restarted after an upgrade, though not why:
https://archlinux.org/news/the-sshd-service-needs-to-be-restarted-after-upgrading-to-openssh-98p1/
I just finished analyzing the bulletins at work and running around their hosts
as well as my own. Ubuntu 22.04 has a patch available, which you'll want to get
installed ASAP. Ubuntu 20.04 has not-vulnerable versions. Ubuntu 18.04,
running OpenSSH v7.6, is not vulnerable.
The Ubuntu CVE tracker (https://ubuntu.com/security/cves?q=openssh&package=&priority=&version=)
doesn't show anything yet but that doesn't mean anything because it's mentioned in
the package changelogs for 22.04:
openssh (1:8.9p1-3ubuntu0.10) jammy-security; urgency=medium
* SECURITY UPDATE: remote code execution via signal handler race
condition (LP: #2070497)
- debian/patches/CVE-2024-6387.patch: don't log in sshsigdie() in log.c.
- CVE-2024-6387
-- Marc Deslauriers <marc.deslauriers at ubuntu.com> Wed, 26 Jun 2024 09:11:55 -0400
If any other parts of me find anything, they'll let me know and I'll pass along
the information.
The Doctor [412/724/301/703/415/510]
WWW: https://drwho.virtadpt.net/
Don't be mean. You don't have to be mean.
More information about the sf-lug
mailing list