The officially official Devuan Forum!

You are not logged in.

#1 2024-07-06 07:10:54

ghp
Member
From: Zwevegem, Belgium
Registered: 2017-05-08
Posts: 22  

[SOLVED] no fix for CVE regreSSHion on armhf?

or is it in the works?

This is CVE-2024-6387.
Checking for an upgrade gives:

openssh-client is already the newest version (1:9.2p1-2+deb12u2).
openssh-server is already the newest version (1:9.2p1-2+deb12u2).

Last edited by ghp (2024-07-06 14:07:33)


Linux Registered User #94362

Offline

#2 2024-07-06 19:44:57

delgado
Member
Registered: 2022-07-14
Posts: 213  

Re: [SOLVED] no fix for CVE regreSSHion on armhf?

Not sure about the architecture, but do you have daedalus-security in /etc/apt/sources.list?

EDIT: Ups, there is another thread respective this issue.

Last edited by delgado (2024-07-06 19:50:17)

Offline

#3 2024-07-06 21:44:19

ghp
Member
From: Zwevegem, Belgium
Registered: 2017-05-08
Posts: 22  

Re: [SOLVED] no fix for CVE regreSSHion on armhf?

I'm afraid I do.  If someone would confirm the fix is available, I'd know I have to look for a problem on my side.


Linux Registered User #94362

Offline

#4 2024-07-08 04:19:25

ghp
Member
From: Zwevegem, Belgium
Registered: 2017-05-08
Posts: 22  

Re: [SOLVED] no fix for CVE regreSSHion on armhf?

I must say I'm underwhelmed by the attention this gets. Any advice on where I should be reporting a CVE making a stable Devuan server vulnerable?  Just asking.


Linux Registered User #94362

Offline

#5 2024-07-08 05:22:11

ralph.ronnquist
Administrator
From: Battery Point, Tasmania, AUS
Registered: 2016-11-30
Posts: 1,253  

Re: [SOLVED] no fix for CVE regreSSHion on armhf?

You may want to include daedalus-proposed-updates in your sources.list
as well as daedalus-security

Offline

#6 2024-07-08 07:25:36

alexkemp
Member
Registered: 2018-05-14
Posts: 357  

Re: [SOLVED] no fix for CVE regreSSHion on armhf?

It has already received at least one update since your OP.

My system runs under Daedalus:

$ apt info openssh-client
Package: openssh-client
Version: 1:9.2p1-2+deb12u3
$ grep ^[^#] /etc/apt/sources.list /etc/apt/sources.list.d/*
/etc/apt/sources.list:deb http://deb.devuan.org/merged daedalus                  main non-free-firmware non-free contrib
/etc/apt/sources.list:deb http://deb.devuan.org/merged daedalus-updates          main non-free-firmware non-free contrib
/etc/apt/sources.list:deb http://deb.devuan.org/merged daedalus-security         main non-free-firmware non-free contrib
/etc/apt/sources.list:deb http://deb.devuan.org/merged daedalus-proposed-updates main non-free-firmware non-free contrib
/etc/apt/sources.list:deb http://deb.devuan.org/merged daedalus-backports        main non-free-firmware non-free contrib

Offline

#7 2024-07-08 11:26:03

ghp
Member
From: Zwevegem, Belgium
Registered: 2017-05-08
Posts: 22  

Re: [SOLVED] no fix for CVE regreSSHion on armhf?

@alexkemp,  Daedalus is good, but is it armhf?
@ralph.ronnquist, I added daedalus-proposed-updates, ran "apt-get update"  and "apt-get -s upgrade". No luck  (I get the advice to remove ntpsec). Is "proposed-updates" Devuan specific?  First time I come across it, been using Debian since the previous century.

Last edited by ghp (2024-07-08 11:27:17)


Linux Registered User #94362

Offline

#8 2024-07-08 11:42:11

ralph.ronnquist
Administrator
From: Battery Point, Tasmania, AUS
Registered: 2016-11-30
Posts: 1,253  

Re: [SOLVED] no fix for CVE regreSSHion on armhf?

Pointing your broswer at https://pkginfo.devuan.org/openssh-server you'll see all currently available versions of the package and the repository points they are found in.

Do you have a hold on the package, or some blocking preferences? It should update.

See also https://www.debian.org/releases/proposed-updates for some new and relevant information.

EDIT: hmm pkginfo favours amd64 ... that might not be ideal for you...
however, armhf has the same versions in the same repositories, at least for openssh-server.

Offline

#9 2024-07-08 11:49:45

ghp
Member
From: Zwevegem, Belgium
Registered: 2017-05-08
Posts: 22  

Re: [SOLVED] no fix for CVE regreSSHion on armhf?

Strange, the deb12u3_armhf.debs are there:

/var/lib/apt/lists
# grep openssh-client  * | grep -E ':(Package|Filename):' | less -X            
grep: auxfiles: Is a directory
grep: partial: Is a directory
deb.devuan.org_merged_dists_daedalus_main_binary-armhf_Packages:Package: openssh-client
deb.devuan.org_merged_dists_daedalus_main_binary-armhf_Packages:Filename: pool/DEBIAN/main/o/openssh/openssh-client_9.2p1-2+deb12u2_armhf.deb
deb.devuan.org_merged_dists_daedalus_main_binary-armhf_Packages:Package: openssh-client-ssh1
deb.devuan.org_merged_dists_daedalus_main_binary-armhf_Packages:Filename: pool/DEBIAN/main/o/openssh-ssh1/openssh-client-ssh1_7.5p1-14_armhf.deb
deb.devuan.org_merged_dists_daedalus_main_i18n_Translation-en:Package: openssh-client
deb.devuan.org_merged_dists_daedalus_main_i18n_Translation-en:Package: openssh-client-ssh1
deb.devuan.org_merged_dists_daedalus-proposed-updates_main_binary-armhf_Packages:Package: openssh-client
deb.devuan.org_merged_dists_daedalus-proposed-updates_main_binary-armhf_Packages:Filename: pool/DEBIAN/main/o/openssh/openssh-client_9.2p1-2+deb12u3_armhf.deb
deb.devuan.org_merged_dists_daedalus-proposed-updates_main_i18n_Translation-en:Package: openssh-client
deb.devuan.org_merged_dists_daedalus-security_main_binary-armhf_Packages:Package: openssh-client
deb.devuan.org_merged_dists_daedalus-security_main_binary-armhf_Packages:Filename: pool/DEBIAN-SECURITY/updates/main/o/openssh/openssh-client_9.2p1-2+deb12u3_armhf.deb
deb.devuan.org_merged_dists_daedalus-security_main_i18n_Translation-en:Package: openssh-client

What's wrong with my configuration that it ignores security and proposed-updates?


Linux Registered User #94362

Offline

#10 2024-07-08 11:55:10

ralph.ronnquist
Administrator
From: Battery Point, Tasmania, AUS
Registered: 2016-11-30
Posts: 1,253  

Re: [SOLVED] no fix for CVE regreSSHion on armhf?

Use apt-mark showhold to check if it's held or not.

/etc/apt/preferences.conf and files in /etc/apt/preferences.d/ define preferences.

And apt-cache policy openssh-server would tell about pinning as well.

Offline

#11 2024-07-08 11:59:38

ghp
Member
From: Zwevegem, Belgium
Registered: 2017-05-08
Posts: 22  

Re: [SOLVED] no fix for CVE regreSSHion on armhf?

This probably:

openssh-client:
  Installed: 1:9.2p1-2+deb12u2
  Candidate: 1:9.2p1-2+deb12u2
  Version table:
     1:9.2p1-2+deb12u3 500
        500 http://deb.devuan.org/merged daedalus-security/main armhf Packages
        500 http://deb.devuan.org/merged daedalus-proposed-updates/main armhf Packages
 *** 1:9.2p1-2+deb12u2 990
        990 http://deb.devuan.org/merged daedalus/main armhf Packages
        100 /var/lib/dpkg/status

Where did I go wrong?
I've got no preferences.conf nor preferences.d.

# apt-mark showhold     
libjemalloc1

Last edited by ghp (2024-07-08 12:09:55)


Linux Registered User #94362

Offline

#12 2024-07-08 12:09:38

ralph.ronnquist
Administrator
From: Battery Point, Tasmania, AUS
Registered: 2016-11-30
Posts: 1,253  

Re: [SOLVED] no fix for CVE regreSSHion on armhf?

You have an explicit Pin-Priority of 990 for daedalus in some /etc/apt/preferences.d/* file.

Offline

#13 2024-07-08 12:10:49

ghp
Member
From: Zwevegem, Belgium
Registered: 2017-05-08
Posts: 22  

Re: [SOLVED] no fix for CVE regreSSHion on armhf?

@ralph.ronnquist: I can't find it under /etc/apt.  Tried "grep -r 990 .".


Linux Registered User #94362

Offline

#14 2024-07-08 12:17:30

ralph.ronnquist
Administrator
From: Battery Point, Tasmania, AUS
Registered: 2016-11-30
Posts: 1,253  

Re: [SOLVED] no fix for CVE regreSSHion on armhf?

Sorry, I replied before I saw your edit... hmm.

According to man apt_preferences there is an automatic priority of 990 to the versions that belong to the "target release", which would be declared in /etc/apt/apt.conf or some file in /etc/apt/apt.conf.d by a line like APT::Default-Release "stable";
Comment out that line (with initial #)

Offline

#15 2024-07-08 12:22:18

ghp
Member
From: Zwevegem, Belgium
Registered: 2017-05-08
Posts: 22  

Re: [SOLVED] no fix for CVE regreSSHion on armhf?

I ran an strace on apt-cache policy.  Seems to get the 990 from

/var/lib/apt/lists/deb.devuan.org_merged_dists_daedalus_main_binary-armhf_Packages

But in that file there's only "Priority: standard".

Last edited by ghp (2024-07-08 12:24:44)


Linux Registered User #94362

Offline

#16 2024-07-08 12:28:35

ralph.ronnquist
Administrator
From: Battery Point, Tasmania, AUS
Registered: 2016-11-30
Posts: 1,253  

Re: [SOLVED] no fix for CVE regreSSHion on armhf?

Yes, the files in /var/lib/apt/lists are the package index files, and the Priority in those is a categorical grouping of packages that is something different from Pin-Priority.

(see my previous reply that overlapped yours)

Offline

#17 2024-07-08 12:42:30

ghp
Member
From: Zwevegem, Belgium
Registered: 2017-05-08
Posts: 22  

Re: [SOLVED] no fix for CVE regreSSHion on armhf?

I had

APT::Default-Release daedalus;

Now:

Setting up openssh-client (1:9.2p1-2+deb12u3) ...
Setting up openssh-sftp-server (1:9.2p1-2+deb12u3) ...
Setting up openssh-server (1:9.2p1-2+deb12u3) ...

Thank YOU!

I don't remember why I put that line there.  It doesn't seem very wise.   Part of an upgrade perhaps, this system ran on a RPi2 before, and certainly before Daedalus.  I must have overlooked some of the small print.  I hope.


Linux Registered User #94362

Offline

#18 2024-07-08 18:54:13

alexkemp
Member
Registered: 2018-05-14
Posts: 357  

Re: [SOLVED] no fix for CVE regreSSHion on armhf?

ghp wrote:

Daedalus is good, but is it armhf?

amd64, so no.

You seem to be getting there, so that's good.

Offline

Board footer