Question regarding OpenSSH server on Ubuntu 16.04 LTS

Colin Law clanlaw at gmail.com
Fri Sep 25 09:31:25 UTC 2020


On Fri, 25 Sep 2020 at 10:25, Jonathan Sélea
<jonathan.selea at instantsystems.se> wrote:
>
> Hi,
> I realized that I could check that soon after I sent the email here :)
>
> openssh-server:
>   Installed: 1:7.9p1-10+deb10u2
>   Candidate: 1:7.9p1-10+deb10u2
>   Version table:
>  *** 1:7.9p1-10+deb10u2 100
>         100 /var/lib/dpkg/status
>      1:7.2p2-4ubuntu2.10 500
>         500 http://mirror.linux.pizza/ubuntu xenial-updates/main amd64 Packages
>      1:7.2p2-4ubuntu2.8 500
>         500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 Packages
>      1:7.2p2-4 500
>         500 http://mirror.linux.pizza/ubuntu xenial/main amd64 Packages
>
> apt list -a openssh-server
> Listing... Done
> openssh-server/now 1:7.9p1-10+deb10u2 amd64 [installed,local]
> openssh-server/xenial-updates 1:7.2p2-4ubuntu2.10 amd64
> openssh-server/xenial-security 1:7.2p2-4ubuntu2.8 amd64
> openssh-server/xenial 1:7.2p2-4 amd64
>
> I also found traces that the debian-repo was in use before. And used to install openssh-server - most likely in order to mitigate other CVE's that still exist in the Ubuntu versions.
> So this leads into a follow-up question: Can I install openssh 8.1 or even newer of Ubuntu 16.04 LTS?


Have you checked whether the CVE fixes have been backported to
7.2p2-4ubuntu2.8?  Usually that is how it is handled.

Colin

>
>
>
> Den fre 25 sep. 2020 kl 11:03 skrev Colin Law <clanlaw at gmail.com>:
>>
>> On Fri, 25 Sep 2020 at 09:21, Jonathan Sélea
>> <jonathan.selea at instantsystems.se> wrote:
>> >
>> > Hi there,
>> > I noticed that the ssh-version that is being used by Ubuntu 16.04 LTS (AWS EC2 instance) is the following for some reason:
>> > SSH-2.0-OpenSSH_7.9p1 Debian-10+deb10u2
>> >
>> > Which for me, seems strange since Ubuntu _should_ ship their own version right?
>> > However, it turns out that "SSH-2.0-OpenSSH_7.9p1 Debian-10+deb10u2" is vulnerable to "CVE-2019-16905" (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16905).
>> > I am unable to find a newer version in the Ubuntu repository. And our auditors says that we have to move to OpenSSH 8.1 atleast. I can't see how that is possible without compiling it for myself. And since it is a machine that we only can reach over SSH, well - you see the problem :)
>> >
>> > Thankful for any advice!
>>
>> What does
>> apt-cache policy openssh-server
>> show?
>>
>> > --
>> > ubuntu-users mailing list
>> > ubuntu-users at lists.ubuntu.com
>> > Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
>>
>> --
>> ubuntu-users mailing list
>> ubuntu-users at lists.ubuntu.com
>> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
>
>
>
>
>
> --
> ubuntu-users mailing list
> ubuntu-users at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users




More information about the ubuntu-users mailing list