[Bug 1706543] Re: Upgrade to newer version (currently v7.5p1)

Tyler Hicks tyhicks at canonical.com
Thu Jul 27 16:04:44 UTC 2017 

Hello and thanks for the bug report! To reduce the risk of regressions,
we prefer to backport security fixes to our stable releases rather than
bump them to an entirely new version of the openssh package. Please
refer to the Ubuntu CVE Tracker for known issues affecting OpenSSH:

  https://people.canonical.com/~ubuntu-security/cve/pkg/openssh.html

Ubuntu 16.04 LTS does have some outstanding OpenSSH CVEs that have not
yet been fixed but they're all rated low or negligible. However, I
expect that we'll begin work on security updates soon.

Please see the following FAQ entry for more details on our backporting
policy:

  https://wiki.ubuntu.com/SecurityTeam/FAQ#Versions

I'm going to mark this bug invalid since we're unwilling to bump to an
entirely new OpenSSH version and all known CVEs are being tracked in the
Ubuntu CVE Tracker. Thanks again for the report!

** Attachment removed: "SSHDConfig.txt"
   https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1706543/+attachment/4921533/+files/SSHDConfig.txt

** Attachment removed: "JournalErrors.txt"
   https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1706543/+attachment/4921530/+files/JournalErrors.txt

** Information type changed from Private Security to Public Security

** Changed in: openssh (Ubuntu)
       Status: New => Invalid

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1706543

Title:
  Upgrade to newer version (currently v7.5p1)

Status in openssh package in Ubuntu:
  Invalid

Bug description:
  LTS is running v7.2p2 from 01.Mar.2016.
  OpenSSH v7.5p1 is available since 20.Mar.2017.

  For v7.2 there are at least 4 known vulnerabilities:
  https://www.cvedetails.com/vulnerability-list/vendor_id-97/product_id-585/version_id-194112/Openbsd-Openssh-7.2.html

  which make the security package less secure.
  Please, update it for LTS at least, not just "latest" and "forthcoming".

  ProblemType: Bug
  DistroRelease: Ubuntu 16.04
  Package: openssh-server 1:7.2p2-4ubuntu2.2
  Uname: Linux 4.11.7-041107-lowlatency x86_64
  ApportVersion: 2.20.1-0ubuntu2.10
  Architecture: amd64
  CurrentDesktop: KDE
  Date: Wed Jul 26 09:52:16 2017
  SourcePackage: openssh
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1706543/+subscriptions

More information about the foundations-bugs mailing list