Open brookerrj opened 3 days ago
Hi @brookerrj,
Thanks for using Bitnami. According to the official Debian website, Debian Buster stopped receiving security updates as of June 30th, 2022. I'm afraid I don't know if Debian Buster is affected by CVE-2024-6387 because it is not listed in the CVE description webpage either. You will need to ask in a more specialized forum for further help on this.
Describe your issue as much as you can
I'm assuming that the OpenSSH server vulnerability (CVE-2024-6387) is present in Debian GNU/Linux 10 (buster)? How can I get fixes for this version? Will there Official Site be a fix available in the unattended-upgrades for this version?
Versions on my server:
bitnami@wordpress-1-vm:~$ sudo dpkg -l | grep ssh
ii libssh2-1:amd64 1.8.0-2.1+deb10u1 amd64 SSH2 client-side library
ii openssh-client 1:7.9p1-10+deb10u4 amd64 secure shell (SSH) client, for secure access to remote machines
ii openssh-server 1:7.9p1-10+deb10u4 amd64 secure shell (SSH) server, for secure access from remote machines
ii openssh-sftp-server 1:7.9p1-10+deb10u4 amd64 secure shell (SSH) sftp server module, for SFTP access from remote machines
ii ssh 1:7.9p1-10+deb10u4 all secure shell client and server (metapackage)
bitnami@wordpress-1-vm:~$ lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description: Debian GNU/Linux 10 (buster)
Release: 10
Codename: buster
Hello,
The OpenSSH server vulnerability (CVE-2024-6387) is a critical issue that affects OpenSSH’s server (sshd) due to a race condition, allowing remote attackers to execute arbitrary code without authentication12.
For Debian GNU/Linux 10 (buster), here are the steps to address this vulnerability:
Check for Updates:
Regularly check the Debian security tracker for updates related to CVE-2024-63871.
Use the following command to update your package list and upgrade your packages
sudo apt update && sudo apt upgrade
Unattended Upgrades:
Ensure that unattended-upgrades is configured to automatically apply security updates. You can install and configure it using:
sudo apt install unattended-upgrades sudo dpkg-reconfigure --priority=low unattended
Best Regards, florence023
Describe your issue as much as you can
I'm assuming that the OpenSSH server vulnerability (CVE-2024-6387) is present in Debian GNU/Linux 10 (buster)? How can I get fixes for this version? Will there be a fix available in the unattended-upgrades for this version?
Versions on my server:
bitnami@wordpress-1-vm:~$ sudo dpkg -l | grep ssh
ii libssh2-1:amd64 1.8.0-2.1+deb10u1 amd64 SSH2 client-side library
ii openssh-client 1:7.9p1-10+deb10u4 amd64 secure shell (SSH) client, for secure access to remote machines
ii openssh-server 1:7.9p1-10+deb10u4 amd64 secure shell (SSH) server, for secure access from remote machines
ii openssh-sftp-server 1:7.9p1-10+deb10u4 amd64 secure shell (SSH) sftp server module, for SFTP access from remote machines
ii ssh 1:7.9p1-10+deb10u4 all secure shell client and server (metapackage)
bitnami@wordpress-1-vm:~$ lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description: Debian GNU/Linux 10 (buster)
Release: 10
Codename: buster