Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Is Gentoo's SSH vulnerable to regreSSHion?
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
pablo_supertux
Advocate
Advocate


Joined: 25 Jan 2004
Posts: 2946
Location: Somewhere between reality and Middle-Earth and in Freiburg (Germany)

PostPosted: Wed Jul 10, 2024 8:40 pm    Post subject: Is Gentoo's SSH vulnerable to regreSSHion? Reply with quote

Hi

Qualys published a regression to openSSH a couple of days ago. I always update my Gentoo systems on Sunday evenings, so I'm fairly up to date.

I stumbled upon the script https://github.com/xaitax/CVE-2024-6387_Check that checks whether an openSSH installtion is still vulnerable or not.

When I test it with my own host, I get this:

Code:

$ python /tmp/CVE-2024-6387_Check.py localhost

...

Servers likely vulnerable: 2
   [+] Server at ::1 (running SSH-2.0-OpenSSH_9.7)
   [+] Server at 127.0.0.1 (running SSH-2.0-OpenSSH_9.7)

...


I've made an eix-sync right now but my openssh is up-to-date (=net-misc/openssh-9.7_p1-r6). So the question is: is Gentoo still vulnerable or is this just a false positive because the script only checks the signature against the most common distributions (like debian, ubuntu, rhel, etc)?
_________________
A! Elbereth Gilthoniel!
silivren penna míriel
o menel aglar elenath,
Gilthoniel, A! Elbereth!
Back to top
View user's profile Send private message
pjp
Administrator
Administrator


Joined: 16 Apr 2002
Posts: 20484

PostPosted: Wed Jul 10, 2024 9:08 pm    Post subject: Reply with quote

Seems like it not vulnerable...

https://gitweb.gentoo.org/repo/gentoo.git/commit/net-misc/openssh?id=1633ef45475afb9eea04e9cf27021c9d994af338

https://bugs.gentoo.org/935271

https://bugs.gentoo.org/935272
_________________
Quis separabit? Quo animo?
Back to top
View user's profile Send private message
pablo_supertux
Advocate
Advocate


Joined: 25 Jan 2004
Posts: 2946
Location: Somewhere between reality and Middle-Earth and in Freiburg (Germany)

PostPosted: Wed Jul 10, 2024 9:43 pm    Post subject: Reply with quote

Cool, thanks. Yes, then that's a false positive of the tool.
_________________
A! Elbereth Gilthoniel!
silivren penna míriel
o menel aglar elenath,
Gilthoniel, A! Elbereth!
Back to top
View user's profile Send private message
dmpogo
Advocate
Advocate


Joined: 02 Sep 2004
Posts: 3417
Location: Canada

PostPosted: Wed Jul 10, 2024 9:44 pm    Post subject: Reply with quote

That check is trivial, it just checks whether your version of openssh is affected ( the first formally unaffected is 9.8p1) and if it is whether it was patched, which for the check means in the list of

patched_versions = [
'SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.10',
'SSH-2.0-OpenSSH_9.3p1 Ubuntu-3ubuntu3.6',
'SSH-2.0-OpenSSH_9.6p1 Ubuntu-3ubuntu13.3',
'SSH-2.0-OpenSSH_9.3p1 Ubuntu-1ubuntu3.6',
'SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u3',
'SSH-2.0-OpenSSH_8.4p1 Debian-5+deb11u3',
'SSH-2.0-OpenSSH_9.7p1 Debian-7',
'SSH-2.0-OpenSSH_9.6 FreeBSD-20240701',
'SSH-2.0-OpenSSH_9.7 FreeBSD-20240701'
]

that distributions, which obviously knows noting about Gentoo.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum