4

I wanted to upgrade my openssh versions to address CVE-2024-6387, and after running apt update and apt upgrade I see this output:

❯ sudo apt upgrade openssh-client
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
openssh-client is already the newest version (1:8.9p1-3ubuntu0.10).
openssh-client set to manually installed.
Calculating upgrade... Done
#
# OpenSSH CVE-2024-6387 has been fixed for 22.04 LTS, 23.10 and 24.04 LTS.
# RegreSSHion: Possible RCE Due To A Race Condition In Signal Handling.
# For more details see: https://ubuntu.com/security/notices/USN-6859-1.
#
The following packages have been kept back:
  python3-update-manager update-manager update-manager-core
0 upgraded, 0 newly installed, 0 to remove and 3 not upgraded.
❯ sudo apt upgrade openssh-server
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
openssh-server is already the newest version (1:8.9p1-3ubuntu0.10).
Calculating upgrade... Done
#
# OpenSSH CVE-2024-6387 has been fixed for 22.04 LTS, 23.10 and 24.04 LTS.
# RegreSSHion: Possible RCE Due To A Race Condition In Signal Handling.
# For more details see: https://ubuntu.com/security/notices/USN-6859-1.
#
The following packages have been kept back:
  python3-update-manager update-manager update-manager-core
0 upgraded, 0 newly installed, 0 to remove and 3 not upgraded.
❯ ssh -V
OpenSSH_8.9p1 Ubuntu-3ubuntu0.10, OpenSSL 3.0.2 15 Mar 2022

So both my openssh-client and openssh-server are on version 8.9p1-3 which is the patched version, but when I run ssh -V I see 8.9p1, which seems to be the unpatched version. Is this expected behavior of ssh -V or is it somehow pointing to the wrong version, and if so, how do I fix that?

Improve this question
2
  • 1
    Apt is correct, and the discrepancy is expected behavior. Recall that every stock install of Ubuntu will silently discover, download, and install install security-patched packages automatically (there are a couple exceptions, but OpenSSH is not one of them). Your output clearly shows that your system had already installed the patched package before you instructed it. Your confusion occurred because you tried to outwit the system.
    – user535733
    Commented Jul 2 at 17:13
  • But it says "8.9p1 Ubuntu-3ubuntu0.10" right there in the ssh -V output, does it not?
    – marcelm
    Commented 2 days ago

1 Answer 1

Reset to default
8

The -3ubuntu0.10 for Jammy 22.04 is a package revision version string, not the OpenSSH itself version string (which is 8.9p1). The base version of OpenSSH that's on the system excluding package revisions and patches included that way is 8.9p1. By default, there, OpenSSH's -V (version) call will only state the base OpenSSH version and not the Ubuntu package revision data.

You are still patched, but because of the way the software compiles, you won't see the updated version string in OpenSSH's version output, which is expected behavior.

Note that you actually have to check the installed package revision, its patch sets, and the Security notices to identify what is or isn't included. You're patched for CVE-2024-6387 (aka RegreSSHion) though, as long as the installed package version for the release is at or newer than the following (from the Ubuntu CVE tracker for CVE-2024-6487):

  • Ubuntu Jammy (22.04 LTS): 1:8.9p1-3ubuntu0.10
  • Ubuntu Mantic (23.10): 1:9.3p1-1ubuntu3.6
  • Ubuntu Noble (24.04 LTS): 1:9.6p1-3ubuntu13.3

OpenSSH base versions earlier than 8.5p1 are unaffected.

Improve this answer
0

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .