search

bitnami / vms

Bitnami VMs
https://bitnami.com
Other
200 stars 44 forks source link

[<Debian GNU/Linux 10 (buster)>] <Vulnerability in OpenSSH server (CVE-2024-6387)> #1580

Open brookerrj opened 3 days ago

brookerrj commented 3 days ago

Describe your issue as much as you can

I'm assuming that the OpenSSH server vulnerability (CVE-2024-6387) is present in Debian GNU/Linux 10 (buster)? How can I get fixes for this version? Will there be a fix available in the unattended-upgrades for this version?

Versions on my server:

bitnami@wordpress-1-vm:~$ sudo dpkg -l | grep ssh ii libssh2-1:amd64 1.8.0-2.1+deb10u1 amd64 SSH2 client-side library ii openssh-client 1:7.9p1-10+deb10u4 amd64 secure shell (SSH) client, for secure access to remote machines

ii openssh-server 1:7.9p1-10+deb10u4 amd64 secure shell (SSH) server, for secure access from remote machines ii openssh-sftp-server 1:7.9p1-10+deb10u4 amd64 secure shell (SSH) sftp server module, for SFTP access from remote machines ii ssh 1:7.9p1-10+deb10u4 all secure shell client and server (metapackage)

bitnami@wordpress-1-vm:~$ lsb_release -a No LSB modules are available. Distributor ID: Debian Description: Debian GNU/Linux 10 (buster) Release: 10 Codename: buster

gongomgra commented 2 days ago

Hi @brookerrj,

Thanks for using Bitnami. According to the official Debian website, Debian Buster stopped receiving security updates as of June 30th, 2022. I'm afraid I don't know if Debian Buster is affected by CVE-2024-6387 because it is not listed in the CVE description webpage either. You will need to ask in a more specialized forum for further help on this.

florence0239 commented 1 day ago

Describe your issue as much as you can

I'm assuming that the OpenSSH server vulnerability (CVE-2024-6387) is present in Debian GNU/Linux 10 (buster)? How can I get fixes for this version? Will there Official Site be a fix available in the unattended-upgrades for this version?

Versions on my server:

bitnami@wordpress-1-vm:~$ sudo dpkg -l | grep ssh ii libssh2-1:amd64 1.8.0-2.1+deb10u1 amd64 SSH2 client-side library ii openssh-client 1:7.9p1-10+deb10u4 amd64 secure shell (SSH) client, for secure access to remote machines

ii openssh-server 1:7.9p1-10+deb10u4 amd64 secure shell (SSH) server, for secure access from remote machines ii openssh-sftp-server 1:7.9p1-10+deb10u4 amd64 secure shell (SSH) sftp server module, for SFTP access from remote machines ii ssh 1:7.9p1-10+deb10u4 all secure shell client and server (metapackage)

bitnami@wordpress-1-vm:~$ lsb_release -a No LSB modules are available. Distributor ID: Debian Description: Debian GNU/Linux 10 (buster) Release: 10 Codename: buster

Hello,

The OpenSSH server vulnerability (CVE-2024-6387) is a critical issue that affects OpenSSH’s server (sshd) due to a race condition, allowing remote attackers to execute arbitrary code without authentication12.

For Debian GNU/Linux 10 (buster), here are the steps to address this vulnerability:

Check for Updates: Regularly check the Debian security tracker for updates related to CVE-2024-63871. Use the following command to update your package list and upgrade your packages sudo apt update && sudo apt upgrade

Unattended Upgrades: Ensure that unattended-upgrades is configured to automatically apply security updates. You can install and configure it using: sudo apt install unattended-upgrades sudo dpkg-reconfigure --priority=low unattended

Best Regards, florence023