You are not logged in.
- Topics: Active | Unanswered
#1 2024-07-06 07:10:54
- ghp
- Member
- From: Zwevegem, Belgium
- Registered: 2017-05-08
- Posts: 22
[SOLVED] no fix for CVE regreSSHion on armhf?
or is it in the works?
This is CVE-2024-6387.
Checking for an upgrade gives:
openssh-client is already the newest version (1:9.2p1-2+deb12u2).
openssh-server is already the newest version (1:9.2p1-2+deb12u2).Last edited by ghp (2024-07-06 14:07:33)
Linux Registered User #94362
Offline
#2 2024-07-06 19:44:57
- delgado
- Member
- Registered: 2022-07-14
- Posts: 212
Re: [SOLVED] no fix for CVE regreSSHion on armhf?
Not sure about the architecture, but do you have daedalus-security in /etc/apt/sources.list?
EDIT: Ups, there is another thread respective this issue.
Last edited by delgado (2024-07-06 19:50:17)
Offline
#3 2024-07-06 21:44:19
- ghp
- Member
- From: Zwevegem, Belgium
- Registered: 2017-05-08
- Posts: 22
Re: [SOLVED] no fix for CVE regreSSHion on armhf?
I'm afraid I do. If someone would confirm the fix is available, I'd know I have to look for a problem on my side.
Linux Registered User #94362
Offline
#4 2024-07-08 04:19:25
- ghp
- Member
- From: Zwevegem, Belgium
- Registered: 2017-05-08
- Posts: 22
Re: [SOLVED] no fix for CVE regreSSHion on armhf?
I must say I'm underwhelmed by the attention this gets. Any advice on where I should be reporting a CVE making a stable Devuan server vulnerable? Just asking.
Linux Registered User #94362
Offline
#5 2024-07-08 05:22:11
- ralph.ronnquist
- Administrator
- From: Battery Point, Tasmania, AUS
- Registered: 2016-11-30
- Posts: 1,251
Re: [SOLVED] no fix for CVE regreSSHion on armhf?
You may want to include daedalus-proposed-updates in your sources.list
as well as daedalus-security
Offline
#6 2024-07-08 07:25:36
- alexkemp
- Member
- Registered: 2018-05-14
- Posts: 357
Re: [SOLVED] no fix for CVE regreSSHion on armhf?
It has already received at least one update since your OP.
My system runs under Daedalus:
$ apt info openssh-client
Package: openssh-client
Version: 1:9.2p1-2+deb12u3
$ grep ^[^#] /etc/apt/sources.list /etc/apt/sources.list.d/*
/etc/apt/sources.list:deb http://deb.devuan.org/merged daedalus main non-free-firmware non-free contrib
/etc/apt/sources.list:deb http://deb.devuan.org/merged daedalus-updates main non-free-firmware non-free contrib
/etc/apt/sources.list:deb http://deb.devuan.org/merged daedalus-security main non-free-firmware non-free contrib
/etc/apt/sources.list:deb http://deb.devuan.org/merged daedalus-proposed-updates main non-free-firmware non-free contrib
/etc/apt/sources.list:deb http://deb.devuan.org/merged daedalus-backports main non-free-firmware non-free contribOffline
#7 2024-07-08 11:26:03
- ghp
- Member
- From: Zwevegem, Belgium
- Registered: 2017-05-08
- Posts: 22
Re: [SOLVED] no fix for CVE regreSSHion on armhf?
@alexkemp, Daedalus is good, but is it armhf?
@ralph.ronnquist, I added daedalus-proposed-updates, ran "apt-get update" and "apt-get -s upgrade". No luck (I get the advice to remove ntpsec). Is "proposed-updates" Devuan specific? First time I come across it, been using Debian since the previous century.
Last edited by ghp (2024-07-08 11:27:17)
Linux Registered User #94362
Offline
#8 2024-07-08 11:42:11
- ralph.ronnquist
- Administrator
- From: Battery Point, Tasmania, AUS
- Registered: 2016-11-30
- Posts: 1,251
Re: [SOLVED] no fix for CVE regreSSHion on armhf?
Pointing your broswer at https://pkginfo.devuan.org/openssh-server you'll see all currently available versions of the package and the repository points they are found in.
Do you have a hold on the package, or some blocking preferences? It should update.
See also https://www.debian.org/releases/proposed-updates for some new and relevant information.
EDIT: hmm pkginfo favours amd64 ... that might not be ideal for you...
however, armhf has the same versions in the same repositories, at least for openssh-server.
Offline
#9 2024-07-08 11:49:45
- ghp
- Member
- From: Zwevegem, Belgium
- Registered: 2017-05-08
- Posts: 22
Re: [SOLVED] no fix for CVE regreSSHion on armhf?
Strange, the deb12u3_armhf.debs are there:
/var/lib/apt/lists
# grep openssh-client * | grep -E ':(Package|Filename):' | less -X
grep: auxfiles: Is a directory
grep: partial: Is a directory
deb.devuan.org_merged_dists_daedalus_main_binary-armhf_Packages:Package: openssh-client
deb.devuan.org_merged_dists_daedalus_main_binary-armhf_Packages:Filename: pool/DEBIAN/main/o/openssh/openssh-client_9.2p1-2+deb12u2_armhf.deb
deb.devuan.org_merged_dists_daedalus_main_binary-armhf_Packages:Package: openssh-client-ssh1
deb.devuan.org_merged_dists_daedalus_main_binary-armhf_Packages:Filename: pool/DEBIAN/main/o/openssh-ssh1/openssh-client-ssh1_7.5p1-14_armhf.deb
deb.devuan.org_merged_dists_daedalus_main_i18n_Translation-en:Package: openssh-client
deb.devuan.org_merged_dists_daedalus_main_i18n_Translation-en:Package: openssh-client-ssh1
deb.devuan.org_merged_dists_daedalus-proposed-updates_main_binary-armhf_Packages:Package: openssh-client
deb.devuan.org_merged_dists_daedalus-proposed-updates_main_binary-armhf_Packages:Filename: pool/DEBIAN/main/o/openssh/openssh-client_9.2p1-2+deb12u3_armhf.deb
deb.devuan.org_merged_dists_daedalus-proposed-updates_main_i18n_Translation-en:Package: openssh-client
deb.devuan.org_merged_dists_daedalus-security_main_binary-armhf_Packages:Package: openssh-client
deb.devuan.org_merged_dists_daedalus-security_main_binary-armhf_Packages:Filename: pool/DEBIAN-SECURITY/updates/main/o/openssh/openssh-client_9.2p1-2+deb12u3_armhf.deb
deb.devuan.org_merged_dists_daedalus-security_main_i18n_Translation-en:Package: openssh-clientWhat's wrong with my configuration that it ignores security and proposed-updates?
Linux Registered User #94362
Offline
#10 2024-07-08 11:55:10
- ralph.ronnquist
- Administrator
- From: Battery Point, Tasmania, AUS
- Registered: 2016-11-30
- Posts: 1,251
Re: [SOLVED] no fix for CVE regreSSHion on armhf?
Use apt-mark showhold to check if it's held or not.
/etc/apt/preferences.conf and files in /etc/apt/preferences.d/ define preferences.
And apt-cache policy openssh-server would tell about pinning as well.
Offline
#11 2024-07-08 11:59:38
- ghp
- Member
- From: Zwevegem, Belgium
- Registered: 2017-05-08
- Posts: 22
Re: [SOLVED] no fix for CVE regreSSHion on armhf?
This probably:
openssh-client:
Installed: 1:9.2p1-2+deb12u2
Candidate: 1:9.2p1-2+deb12u2
Version table:
1:9.2p1-2+deb12u3 500
500 http://deb.devuan.org/merged daedalus-security/main armhf Packages
500 http://deb.devuan.org/merged daedalus-proposed-updates/main armhf Packages
*** 1:9.2p1-2+deb12u2 990
990 http://deb.devuan.org/merged daedalus/main armhf Packages
100 /var/lib/dpkg/statusWhere did I go wrong?
I've got no preferences.conf nor preferences.d.
# apt-mark showhold
libjemalloc1Last edited by ghp (2024-07-08 12:09:55)
Linux Registered User #94362
Offline
#12 2024-07-08 12:09:38
- ralph.ronnquist
- Administrator
- From: Battery Point, Tasmania, AUS
- Registered: 2016-11-30
- Posts: 1,251
Re: [SOLVED] no fix for CVE regreSSHion on armhf?
You have an explicit Pin-Priority of 990 for daedalus in some /etc/apt/preferences.d/* file.
Offline
#13 2024-07-08 12:10:49
- ghp
- Member
- From: Zwevegem, Belgium
- Registered: 2017-05-08
- Posts: 22
Re: [SOLVED] no fix for CVE regreSSHion on armhf?
@ralph.ronnquist: I can't find it under /etc/apt. Tried "grep -r 990 .".
Linux Registered User #94362
Offline
#14 2024-07-08 12:17:30
- ralph.ronnquist
- Administrator
- From: Battery Point, Tasmania, AUS
- Registered: 2016-11-30
- Posts: 1,251
Re: [SOLVED] no fix for CVE regreSSHion on armhf?
Sorry, I replied before I saw your edit... hmm.
According to man apt_preferences there is an automatic priority of 990 to the versions that belong to the "target release", which would be declared in /etc/apt/apt.conf or some file in /etc/apt/apt.conf.d by a line like APT::Default-Release "stable";
Comment out that line (with initial #)
Offline
#15 2024-07-08 12:22:18
- ghp
- Member
- From: Zwevegem, Belgium
- Registered: 2017-05-08
- Posts: 22
Re: [SOLVED] no fix for CVE regreSSHion on armhf?
I ran an strace on apt-cache policy. Seems to get the 990 from
/var/lib/apt/lists/deb.devuan.org_merged_dists_daedalus_main_binary-armhf_PackagesBut in that file there's only "Priority: standard".
Last edited by ghp (2024-07-08 12:24:44)
Linux Registered User #94362
Offline
#16 2024-07-08 12:28:35
- ralph.ronnquist
- Administrator
- From: Battery Point, Tasmania, AUS
- Registered: 2016-11-30
- Posts: 1,251
Re: [SOLVED] no fix for CVE regreSSHion on armhf?
Yes, the files in /var/lib/apt/lists are the package index files, and the Priority in those is a categorical grouping of packages that is something different from Pin-Priority.
(see my previous reply that overlapped yours)
Offline
#17 2024-07-08 12:42:30
- ghp
- Member
- From: Zwevegem, Belgium
- Registered: 2017-05-08
- Posts: 22
Re: [SOLVED] no fix for CVE regreSSHion on armhf?
I had
APT::Default-Release daedalus;Now:
Setting up openssh-client (1:9.2p1-2+deb12u3) ...
Setting up openssh-sftp-server (1:9.2p1-2+deb12u3) ...
Setting up openssh-server (1:9.2p1-2+deb12u3) ...Thank YOU!
I don't remember why I put that line there. It doesn't seem very wise. Part of an upgrade perhaps, this system ran on a RPi2 before, and certainly before Daedalus. I must have overlooked some of the small print. I hope.
Linux Registered User #94362
Offline
#18 2024-07-08 18:54:13
- alexkemp
- Member
- Registered: 2018-05-14
- Posts: 357
Re: [SOLVED] no fix for CVE regreSSHion on armhf?
Daedalus is good, but is it armhf?
amd64, so no.
You seem to be getting there, so that's good.
Offline
