1

I've seen in a blog that Ubuntu released a fix for the RegreSSHion vulnerability. But I'm confused about getting those fixed patches to my system.

Currently, I've installed Ubuntu 22.04 on my Surface, but I'm not able to get the fix even after performing apt update and multiple reboots.

Kindly suggest—is there any other process that I need to follow?

The blog I've referred to: https://ubuntu.com/blog/ubuntu-regresshion-security-fix

The patch released: https://launchpad.net/ubuntu/+source/openssh/1:8.9p1-3ubuntu0.10

Improve this question
6
  • The command sudo apt update only updates your machine software lists, ie. so it knows what updates are available, but does not apply them until you decide to (via a command usually executed after what you just did). Have you applied security fixes? or just updated your software lists? as your question details imply you only did the former
    – guiverc
    Commented Jul 7 at 6:10
  • 2
    This question is similar to: How to install updates via command line?. If you believe it’s different, please edit the question, make it clear how it’s different and/or how the answers on that question are not helpful for your problem.
    – guiverc
    Commented Jul 7 at 6:12
  • My main agenda is to update my openssh version current one: OpenSSH_8.9p1 Ubuntu-3ubuntu0.10, OpenSSL 3.0.2 15 Mar 2022 Kindly check the attached link for the openssh seccurity fix. ubuntu.com/security/CVE-2024-6387 launchpad.net/ubuntu/+source/openssh/1:8.9p1-3ubuntu0.10
    – abhi
    Commented Jul 7 at 6:19
  • You question makes no mention of applying security fixes; ie. sudo apt upgrade will apply most upgrades, but depending on what you have installed (esp. 3rd party) a sudo apt full-upgrade maybe is required.. ie. apt update only updates software lists so your machine is aware of what can be upgraded, and you decide when to upgrade them using either apt upgrade OR apt full-upgrade (as there are differences to those; you have full control when you want any consequences required by full-upgrade)
    – guiverc
    Commented Jul 7 at 6:34
  • Please also be clear & specific with details; Ubuntu 22.04 & the Ubuntu Core 22 system (22 being the snap only version of 22.04) are different Ubuntu Server products.. using different commands. Your question mentions 22 in text but 22.04 in tag; so use the appropriate command for either 22 or 22.04 you're using.
    – guiverc
    Commented Jul 7 at 6:37

2 Answers 2

Reset to default
2

Typically, fixes like that are distributed in the routine package updates. So if you keep your packages up to date (which is a good idea in most cases anyway), you should have the fix.

If you want to check which package version(s) you exactly need, you can look that up. The blog article you mentioned links in the first paragraph to the corresponding entry in Ubuntu Security. There, you can check under "Status" which versions of which source code packages you need. For Ubuntu 22.04 LTS Jammy Jellyfish, you look for "Jammy":

Package openssh, jammy, Released (1:8.9p1-3ubuntu0.10)
Package openssh-ssh1, jammy, Not vulnerable (introduced in v8.5p1)

So for this, you only need to worry about any binary packages built from the source package openssh (if you have installed anything related to OpenSSH 1.x in the first place).

To find out which binary packages that are, the Ubuntu Security package conveniently links a search to the Ubuntu packages list, under the keyword "Ubuntu". For the source package openssh, that would be this search.

There again, you can look for your distribution version, being Jammy. This shows you that from the source package openssh, the following binary packages are built:

openssh-client, openssh-server, openssh-sftp-server, openssh-tests, ssh, ssh-askpass-gnome

Each of those is a link to the respective package in the packages list. So you can look up there which is the newest version. Typically, the naming will follow the source package, so you'll be looking for openssh-client 1:8.9p1-3ubuntu0.10, openssh-server 1:8.9p1-3ubuntu0.10 and so forth. You can check with apt policy which package in which version you have currently installed, for example apt policy openssh-client, apt policy openssh-server etc.

In case any of those packages are still on outdated versions, you can update them with apt upgrade. But as I mentioned above, if you do you routine package updates, those should already have been handled. Of course, you only need to update packages that you're actually using, so if for example you don't have openssh-tests installed, you don't need to upgrade it to any newer version.

As a side remark just in case: If you installed anything OpenSSH-related yourself outside of the Ubuntu package system, for example by compiling it yourself, you're responsible for that yourself. The Ubuntu package system can't help you with those cases.

Improve this answer
1
  • Hello Henning, Appericiate for speninding your time for responding my query. I got a complete picture on handling packages in ubuntu with your post. Really thanks a lot. Now i can makesure that my surface is using bug free version of openssh.
    – abhi
    Commented Jul 7 at 7:46
1

As mentioned in the comments, sudo apt update only updates your list of packages and does not perform any updates.

To update the software on your system, run the following command only after you run sudo apt update:

sudo apt upgrade

or

sudo apt full-upgrade

if you aren't running in production. That should upgrade all existing packages where an update is available.

According to the blog post you referenced, you should've run the following as a single command:

sudo apt update && sudo apt install openssh-server

According to the Ubuntu security notices webpage, a patched version for Ubuntu Jammy (22.04) was released as version 1:8.9p1-3ubuntu0.10

Run:

dpkg -l | grep openssh

to view the version currently installed on your system.

Also, the openssh-ssh1 package appears to be not vulnerable according to the security notice:

Not vulnerable (introduced in v8.5p1)

Additionally, a mitigation is listed along with the security notice. If you are still worried about it, then you can apply the mitigation:

Set LoginGraceTime to 0 in /etc/ssh/sshd_config. This makes sshd vulnerable to a denial of service (the exhaustion of all MaxStartups connections), but it makes it safe from this vulnerability.

So for example, if your /etc/ssh/sshd_config has the following listed:

#LoginGraceTime 2m

You would edit the line in your /etc/ssh/sshd_config file to say the following instead:

LoginGraceTime 0

and then reboot or restart sshd.

Improve this answer
4
  • Thanks a lot for your detailed response. I'm new to the ubuntu and bacause of this security fix news i got confused. Your response really helped me a lot in clarifying my query. Initially I thought the openssh version of '1:8.9p1-3ubuntu0.10' is also a vulnerable version. But now as i have understood my installed openssh version is fixed one and i no need to do anything right?
    – abhi
    Commented Jul 7 at 7:41
  • @abhi Yeah, it's still not the latest version of openssh but it's an older version that has been patched to fix the security vulnerability so that throws a lot of people off.
    – mchid
    Commented Jul 7 at 13:46
  • @abhi And as far as I know, you don't need to do anything else but you could apply the mitigation if it's not already set to 0 although, then that makes you vulnerable to a possible denial of service and since the version you're running has been patched, that doesn't seem necessary.
    – mchid
    Commented Jul 7 at 13:49
  • Appreciate your help in clarifying my query, Now i will use my system without any confusions. Thanks :)
    – abhi
    Commented Jul 8 at 4:54

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .