Question regarding OpenSSH server on Ubuntu 16.04 LTS

Jonathan Sélea jonathan.selea at instantsystems.se
Fri Sep 25 09:23:33 UTC 2020


Hi,
I realized that I could check that soon after I sent the email here :)

openssh-server:
  Installed: 1:7.9p1-10+deb10u2
  Candidate: 1:7.9p1-10+deb10u2
  Version table:
 *** 1:7.9p1-10+deb10u2 100
        100 /var/lib/dpkg/status
     1:7.2p2-4ubuntu2.10 500
        500 http://mirror.linux.pizza/ubuntu xenial-updates/main amd64
Packages
     1:7.2p2-4ubuntu2.8 500
        500 http://security.ubuntu.com/ubuntu xenial-security/main amd64
Packages
     1:7.2p2-4 500
        500 http://mirror.linux.pizza/ubuntu xenial/main amd64 Packages

apt list -a openssh-server
Listing... Done
openssh-server/now 1:7.9p1-10+deb10u2 amd64 [installed,local]
openssh-server/xenial-updates 1:7.2p2-4ubuntu2.10 amd64
openssh-server/xenial-security 1:7.2p2-4ubuntu2.8 amd64
openssh-server/xenial 1:7.2p2-4 amd64

I also found traces that the debian-repo was in use before. And used to
install openssh-server - most likely in order to mitigate other CVE's that
still exist in the Ubuntu versions.
So this leads into a follow-up question: Can I install openssh 8.1 or even
newer of Ubuntu 16.04 LTS?


Den fre 25 sep. 2020 kl 11:03 skrev Colin Law <clanlaw at gmail.com>:

> On Fri, 25 Sep 2020 at 09:21, Jonathan Sélea
> <jonathan.selea at instantsystems.se> wrote:
> >
> > Hi there,
> > I noticed that the ssh-version that is being used by Ubuntu 16.04 LTS
> (AWS EC2 instance) is the following for some reason:
> > SSH-2.0-OpenSSH_7.9p1 Debian-10+deb10u2
> >
> > Which for me, seems strange since Ubuntu _should_ ship their own version
> right?
> > However, it turns out that "SSH-2.0-OpenSSH_7.9p1 Debian-10+deb10u2" is
> vulnerable to "CVE-2019-16905" (
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16905).
> > I am unable to find a newer version in the Ubuntu repository. And our
> auditors says that we have to move to OpenSSH 8.1 atleast. I can't see how
> that is possible without compiling it for myself. And since it is a machine
> that we only can reach over SSH, well - you see the problem :)
> >
> > Thankful for any advice!
>
> What does
> apt-cache policy openssh-server
> show?
>
> > --
> > ubuntu-users mailing list
> > ubuntu-users at lists.ubuntu.com
> > Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
>
> --
> ubuntu-users mailing list
> ubuntu-users at lists.ubuntu.com
> Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
>




 <+46%2033%20750%2010%2041>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20200925/d0cbbf81/attachment.html>


More information about the ubuntu-users mailing list