Security - CVE-2024-6387 - regreSSHion

Azure / AKS

Azure Kubernetes Service

https://azure.github.io/AKS/

1.95k stars 304 forks source link

Security - CVE-2024-6387 - regreSSHion #4378

Closed matthew-fawcett closed 1 month ago

matthew-fawcett commented 2 months ago

Describe scenario

A CVE has been issued for a vulnerability in OpenSSH - https://www.qualys.com/regresshion-cve-2024-6387/

Question

Google are releasing a patched version of GKE to cover this CVE - https://cloud.google.com/anthos/clusters/docs/security-bulletins#gcp-2024-040 - is there anything in the works for AKS?

dennis-gropyus commented 2 months ago

The versions currently distributed seem to be:

openssh-client (1:8.9p1-3ubuntu0.7)
openssh-server (1:8.9p1-3ubuntu0.7)

What we need according to https://ubuntu.com/security/notices/USN-6859-1 for Ubuntu 22.04 images, is:

openssh-client (1:8.9p1-3ubuntu0.10)
openssh-server (1:8.9p1-3ubuntu0.10)

PixelRobots commented 2 months ago

See issue #4379

microsoft-github-policy-service[bot] commented 1 month ago

This issue has been automatically marked as stale because it has not had any activity for 21 days. It will be closed if no further activity occurs within 7 days of this comment.

microsoft-github-policy-service[bot] commented 1 month ago

This issue will now be closed because it hasn't had any activity for 7 days after stale. matthew-fawcett feel free to comment again on the next 7 days to reopen or open a new issue after that time if you still have a question/issue or suggestion.