0

Security Metrics are complaining our version of ssh is out of date. If I run ssh -V I get this:

OpenSSH_8.2p1 Ubuntu-4ubuntu0.2, OpenSSL 1.1.1f  31 Mar 2020

But if I run dpkg -s openssh-client | grep '^Version:' I get this:

Version: 1:8.2p1-4ubuntu0.2

That version was released on March 9th 2021 and fixes all the security issues which Security metrics are complaining about. I've tried using apt updgrade for openssh-client but it says I already have the latest version installed and shows me the 1:8.2p1-4ubuntu0.2 version. I also used ssh -v localhost to confirm that's also eporting the old version.

How can I get the system to use the latest versions of openssh-client and openssh-server which are installed?

Improve this question

1 Answer 1

Reset to default
0

Your output seems to conclusively show that you ARE using the latest package for 20.04.

A Debian-based system can have only a single version of a package installed. In Ubuntu, newer versions overwrite older.

For your 20.04 system, http://packages.ubuntu.com comfirms that the newest openssh-client and openssh-server package version is 1:8.2p1-4ubuntu0.2...which is what both your outputs say is running.

Perhaps the discrepancy that you are looking at is the date instead of the version number. The older date on ssh -V refers to the upstream version release, not the Ubuntu patch date.

Ubuntu LTS releases do not bump to the newest version of ssh -- that would break workflows. Instead, vulnerabilities (identified by a CVE) are patched by the Ubuntu Security Team, often using the upstream patch provided for exactly this purpose. This is a standard and accepted industry practice.

  • Example: Ubuntu 18.04 uses ssh 7.6, fully patched.
  • You can have the latest ssh by using the latest (non-LTS) version of Ubuntu.

Your security metric should be accordingly adjusted.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .