Question regarding OpenSSH server on Ubuntu 16.04 LTS
Jonathan Sélea
jonathan.selea at instantsystems.se
Fri Sep 25 09:43:26 UTC 2020
Hi,
Yes, that issue does not even affect 7.2p2-4ubuntu2.8 at all, since they
dont build openssh with experimental functions suchs at XMSS.
Installing the slightly older version should be as simple as this:
apt-get install openssh-server=xenial-updates 1:7.2p2-4ubuntu2.10
I have no possibility to test that command on another box, so I am just
checking if that looks good.
Den fre 25 sep. 2020 kl 11:33 skrev Colin Law <clanlaw at gmail.com>:
> On Fri, 25 Sep 2020 at 10:25, Jonathan Sélea
> <jonathan.selea at instantsystems.se> wrote:
> >
> > Hi,
> > I realized that I could check that soon after I sent the email here :)
> >
> > openssh-server:
> > Installed: 1:7.9p1-10+deb10u2
> > Candidate: 1:7.9p1-10+deb10u2
> > Version table:
> > *** 1:7.9p1-10+deb10u2 100
> > 100 /var/lib/dpkg/status
> > 1:7.2p2-4ubuntu2.10 500
> > 500 http://mirror.linux.pizza/ubuntu xenial-updates/main amd64
> Packages
> > 1:7.2p2-4ubuntu2.8 500
> > 500 http://security.ubuntu.com/ubuntu xenial-security/main
> amd64 Packages
> > 1:7.2p2-4 500
> > 500 http://mirror.linux.pizza/ubuntu xenial/main amd64 Packages
> >
> > apt list -a openssh-server
> > Listing... Done
> > openssh-server/now 1:7.9p1-10+deb10u2 amd64 [installed,local]
> > openssh-server/xenial-updates 1:7.2p2-4ubuntu2.10 amd64
> > openssh-server/xenial-security 1:7.2p2-4ubuntu2.8 amd64
> > openssh-server/xenial 1:7.2p2-4 amd64
> >
> > I also found traces that the debian-repo was in use before. And used to
> install openssh-server - most likely in order to mitigate other CVE's that
> still exist in the Ubuntu versions.
> > So this leads into a follow-up question: Can I install openssh 8.1 or
> even newer of Ubuntu 16.04 LTS?
>
>
> Have you checked whether the CVE fixes have been backported to
> 7.2p2-4ubuntu2.8? Usually that is how it is handled.
>
> Colin
>
> >
> >
> >
> > Den fre 25 sep. 2020 kl 11:03 skrev Colin Law <clanlaw at gmail.com>:
> >>
> >> On Fri, 25 Sep 2020 at 09:21, Jonathan Sélea
> >> <jonathan.selea at instantsystems.se> wrote:
> >> >
> >> > Hi there,
> >> > I noticed that the ssh-version that is being used by Ubuntu 16.04 LTS
> (AWS EC2 instance) is the following for some reason:
> >> > SSH-2.0-OpenSSH_7.9p1 Debian-10+deb10u2
> >> >
> >> > Which for me, seems strange since Ubuntu _should_ ship their own
> version right?
> >> > However, it turns out that "SSH-2.0-OpenSSH_7.9p1 Debian-10+deb10u2"
> is vulnerable to "CVE-2019-16905" (
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16905).
> >> > I am unable to find a newer version in the Ubuntu repository. And our
> auditors says that we have to move to OpenSSH 8.1 atleast. I can't see how
> that is possible without compiling it for myself. And since it is a machine
> that we only can reach over SSH, well - you see the problem :)
> >> >
> >> > Thankful for any advice!
> >>
> >> What does
> >> apt-cache policy openssh-server
> >> show?
> >>
> >> > --
> >> > ubuntu-users mailing list
> >> > ubuntu-users at lists.ubuntu.com
> >> > Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
> >>
> >> --
> >> ubuntu-users mailing list
> >> ubuntu-users at lists.ubuntu.com
> >> Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
> >
> >
> >
> >
> >
> > --
> > ubuntu-users mailing list
> > ubuntu-users at lists.ubuntu.com
> > Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
>
> --
> ubuntu-users mailing list
> ubuntu-users at lists.ubuntu.com
> Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20200925/40b5bb97/attachment.html>
More information about the ubuntu-users
mailing list