Question regarding OpenSSH server on Ubuntu 16.04 LTS

Jonathan Sélea jonathan.selea at instantsystems.se
Fri Sep 25 08:18:41 UTC 2020


Hi there,
I noticed that the ssh-version that is being used by Ubuntu 16.04 LTS (AWS
EC2 instance) is the following for some reason:
SSH-2.0-OpenSSH_7.9p1 Debian-10+deb10u2

Which for me, seems strange since Ubuntu _should_ ship their own version
right?
However, it turns out that "SSH-2.0-OpenSSH_7.9p1 Debian-10+deb10u2" is
vulnerable to "CVE-2019-16905" (
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16905).
I am unable to find a newer version in the Ubuntu repository. And our
auditors says that we have to move to OpenSSH 8.1 atleast. I can't see how
that is possible without compiling it for myself. And since it is a machine
that we only can reach over SSH, well - you see the problem :)

Thankful for any advice!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20200925/b927e216/attachment.html>


More information about the ubuntu-users mailing list