Regresshion CVE-2024-6387

rupert160 · July 8, 2024, 9:44am

Howdy, just hoping to confirm that the patch 1 on 9.6 is sufficient for the regresshion vulnerability

$ sshd -V
OpenSSH_9.6p1, OpenSSL 1.1.1w  11 Sep 2023

At least that’s what Ubuntu’s mitigation has been:
https://ubuntu.com/security/notices/USN-6859-1

vcunat · July 8, 2024, 11:10am

• openssh: Update to 9.8p1 (Security update)

vcunat · July 8, 2024, 11:12am

I think 9.6p1 is old one, from before the CVE was known publicly.

bassclef · July 8, 2024, 11:21am

And indeed Turris OS 7.0.1 has OpenSSH 9.8p1

      ______                _         ____  _____
     /_  __/_  ____________(_)____   / __ \/ ___/
      / / / / / / ___/ ___/ / ___/  / / / /\__ 
     / / / /_/ / /  / /  / (__  )  / /_/ /___/ / 
    /_/  \__,_/_/  /_/  /_/____/   \____//____/  
                                             
 -----------------------------------------------------
 TurrisOS 7.0.1, Turris Omnia
 -----------------------------------------------------
root@turris:~# sshd -V
OpenSSH_9.8p1, OpenSSL 1.1.1w  11 Sep 2023
root@turris:~#

(Curious that it has the same 11 Sep 2023 date though)

vcunat · July 8, 2024, 11:48am

11-Sep-2023
OpenSSL 1.1.1w is now available, including bug and security fixes

rupert160 · July 8, 2024, 1:39pm

Any idea when TOS 7.0.1 get released into HBS repos for installation, given the recent CVE? I updated today and it wasn’t available.

image · July 8, 2024, 1:51pm

It was released today.

rupert160 · July 8, 2024, 3:05pm

Brilliant I’ll monitor the automatic updates thankyou.

rupert160 · July 8, 2024, 11:25pm

Interestingly HBS places a “delay” in front of updates placed in repositories:

user@turris:~$ sudo pkgupdate
WARN:There is a newer version available, but update is scheduled after another 273.5 hours. If you want the latest and greatest all the time, switch to one of the development branches.
INFO:Target Turris OS: 7.0.0

In the end I executed

user@turris:~$ sudo opkg update
user@turris:~$ sudo opkg upgrade openssh-server
user@turris:~$ sudo /etc/init.d/sshd restart
user@turris:~$ sshd -V
OpenSSH_9.8p1, OpenSSL 1.1.1w  11 Sep 2023

Is there a way to reduce the delay without moving to a development branch?

jada4p · July 9, 2024, 5:47am

Yes it is, it was mentioned somewhere on forum: you have to edit pkgupdate script to comment line producing delay…
Sorry I can’t be more specific for I don’t have access to router momentarily.

Edit:
Sorry again, I was replying in bus and don’t remember the steps good. It’s as follows:

To force update when it is staged edit /etc/updater/conf.d/turris.lua
to comment line “(i.e. inserting characters ‘–’)”: ‘branch = “hbs-old”’,
which is about line 117, i.e.:
‘-- Are we there yet?’
‘if update_go_time > os.time() then’
‘–branch = “hbs-old”’
‘base_url = repo_url … “/” … branch … “/” …’
‘WARN(“There is a newer version available, …”’
‘end’