Re: SSH vulnerability

To: Marc SCHAEFER <schaefer@alphanet.ch>
Cc: debian-lts@lists.debian.org
Subject: Re: SSH vulnerability
From: Ola Lundqvist <ola@inguza.com>
Date: Mon, 1 Jul 2024 11:51:32 +0200
Message-id: <[🔎] CABY6=0mBbQq1Z0wOvk0gO8G=-0We-JMpMRM=EGq5Dd6qSjyOtg@mail.gmail.com>
In-reply-to: <[🔎] ZoJwRcDwcd2Z3CuK@alphanet.ch>
References: <0b2c6ec051380e80d7c1b3c619452cd9afd4c3f4.camel@debian.org> <8decdcade3d12bdf284a128d695879032b790c7f.camel@lrz.de> <[🔎] ZoJwRcDwcd2Z3CuK@alphanet.ch>

Hi

I have checked the source code and I can confirm that the code pointed to
https://security-tracker.debian.org/tracker/CVE-2024-6387
as "introduced with"
(https://github.com/openssh/openssh-portable/commit/752250caabda3dd24635503c4cd689b32a650794)
is not in the source, and therefore must have been introduced later.

Cheers

// Ola

On Mon, 1 Jul 2024 at 11:33, Marc SCHAEFER <schaefer@alphanet.ch> wrote:
>
> Hello,
>
> Regarding https://security-tracker.debian.org/tracker/CVE-2024-6387
> I guess *buster* is not affected either, because it did not
> integrate the patchset from 2020?
>
> I ask this even if buster LTS support stopped ... yesterday.
>
> I still have one server (upgrading today) which has a fully
> accessible SSH server on buster (actually it will be stopped
> during the upgrade, and then bullseye is marked non-vulnerable).
>
> But still, this is a big potential vulnerability, so maybe communicating
> on it should be a good idea.
>
> Have a nice day.
>


-- 
 --- Inguza Technology AB --- MSc in Information Technology ----
|  ola@inguza.com                    opal@debian.org            |
|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
 ---------------------------------------------------------------

Reply to:

References:
- SSH vulnerability
  - From: Marc SCHAEFER <schaefer@alphanet.ch>

Prev by Date: SSH vulnerability
Next by Date: Packages to add back to dla-needed (?)
Previous by thread: SSH vulnerability
Next by thread: Packages to add back to dla-needed (?)
Index(es):
- Date
- Thread