0

As per: https://launchpad.net/ubuntu/focal/+source/openssh/+changelog and https://ubuntu.com/blog/what-is-an-ubuntu-lts-release and https://ubuntu.com/about/release-cycle " For each Ubuntu LTS release, Canonical maintains the Base Packages and provides security updates, including kernel livepatching, for a period of ten years. " Ubuntu 20.04 LTS was released on April 23, 2020.

Will Ubuntu 20.04 LTS receive any updates to the packages openssh-server and openssh-client, to address outstanding CVEs in NVD that cause the current version (8.2p1) to be vulnerable from a cyber security perspective? Such as https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15778
All modern security scanning platforms currently flag all versions of SSH prior to 8.3p1 as vulnerable, as a consequence of this CVE.

I understand an option is to move to a newer LTS version, in order to advance the openssh version. I'm trying to determine what, if any, the scope of "Long Term Support" and "Expanded Security Maintenance (ESM)" might be to drive this security update from Canonical. If neither LTS nor ESM means openssh-server will be ever be updated to address this (or other) CVEs, then I will direct our teams to migrate all of our prod assets to a new Ubuntu Server version, purely to remove this long-standing Cyber Security Risk. But it would be nice to have this confirmed, officially, from Canonical, prior to kicking off thousands of man-hours of work. :)
This version of openssh-server has been vulnerable for many years, as per the date record in the CVE of: 20200715 (July 15, 2020).

Improve this question

1 Answer 1

Reset to default
1

Ubuntu Server LTS releases are completely supported by both Canonical and the community for five years.

"Support" means that the release will continue to receive updates, including bug fixes and security patches.

Ubuntu Server 20.04 will be fully supported until April 2025.

While it is recommended to migrate to a new release before community support ends, you can sign up for a ESM or Ubuntu Pro subscription that will allow you to continue getting critical security updates and bug fixes for at least another five years until April 2030.

We at Ask Ubuntu are generally unable to answer specific questions pertaining to unreleased software still in development, whether they are new features, bugfixes, or security patches.

Generally speaking, bug fixes and security vulnerabilities are triaged based on how serious they are and how many people they affect.

If it seems that it is taking a very long time for a CVE to be patched, it's likely that the CVE simply doesn't affect many people, or it's just not that big of a deal. If a major security flaw is recognized and determined to be a really serious issue, it will have high priority and be patched as soon as possible.

If at any time you would like to know the details or current status of any CVE, you should reference the CVE tracker.

Here are all of the details about CVE 2020-15778

The developer notes are as follows:

mdeslaur:

the upstream OpenSSH project will not be fixing this issue as
it may result in breaking existing workflows. As such, we will
not be fixing this issue in Ubuntu.

seth-arnold:

openssh-ssh1 is provided for compatibility with old devices that
cannot be upgraded to modern protocols. Thus we may not provide security
support for this package if doing so would prevent access to equipment.

Based on the CVE tracker and developer notes, this is not going to be fixed because it can't be fixed. However it is implied that it's not a relevant problem as long as you aren't using old devices that are incapable of being upgraded to modern security protocols.

Improve this answer
1
  • Well, it looks like we'll be upgrading hundreds of assets to get to a modern openssh version, then. A real shame, but I appreciate the official response.
    – user user
    Commented May 24, 2023 at 21:41

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .