Posted on 07/02/2024 10:59:45 AM PDT by ShadowAce
Thanks- I wasn’t sure if someone with SSHD could connect to my system if i had SSH installed-
“Ok thanks- im pretty sure I run the newest mint- but will check when I get home.”
OK, I found something very useful for next time this happens so add it to your “useful commands” list everyone should have. I should have thought of it sooner.
“All versions of OpenSSH earlier than 4.4p1 are vulnerable, unless they have applied patches for both CVE-2006-5051 and CVE-2008-4109. Versions from 8.5p1 up to but not including 9.8p1 are also vulnerable. Versions 4.4p1 up to but not including 8.5p1 are unaffected due to CVE-2006-5051 being patched as standard.”
Here is how you check your versions of everything including OpenSSH.
” apt list —installed “
Here is mine:
openssh-client/focal-updates,focal-security,now 1:8.2p1-4ubuntu0.11 amd64 [installed]
So I am good. And if I ever update it... It will already come with the new patch included.
wow, thanks. good command to know- here is what mine listed
openssh-client/jammy-updates,jammy-security,now 1:8.9p1-3ubuntu0.10 amd64 [installed]
Yours looks like it is vulnerable from what the list says?
The list is kind of confusing...
Yep- the other fellas though said since i don’t have SSHD which is the server, and i only have the client (ssh)- i should be ok?
Well here is the problem... Some “Client” APPS also build a local server to work. Most P2P clients do this because they are also a server for incoming/shared traffic. So it depends on what you are using or might use in the future. I can’t see Ubuntu/Mint just letting this go without a security patch update. If I can get caught up I will go read chatter on the Mint forums to see what they are saying about it.
Thanks for the link- I’ll check it out too.
I didn’t find anything... Maybe they are not worried about it as out of the box default “Standard use”. Maybe it has already been dealt with awhile back. But any of us who connect servers together or utilize local/external node traffic servers do need to worry. It needs to be fixed regardless of preferred use. It is a security hole whether we use it or not.
Know what? I would just run a full CLI update and upgrade to see if it gives you a safe version.
I suggested CLI update and upgrade because I have noticed the GUI update manager is adding promotional apps I do not want or need. You have to pick through these options and eliminate some. The CLI just plays with what you already have installed.
cli update? not sure what that is? or how to do that?
ok thanks- I’m sure the next upgrade will deal with it- but liek you said, maybe it already has through incremental updates- seems liek they woudl be right on top of it with a fix-
Sorry about that, CLI -Command Line Interface... The Command Terminal. Sometimes it does certain things better than the GUI applications do. Updates and upgrades are two of those. I have found they are adding and “suggesting” stuff you don’t really need or want in the regular update manager app so you have to pick through and exclude those.
A terminal update and upgrade is quick and easier and will only affect what you already have installed with no extra stuff unless it absolutely needs a new additional dependency for one of the new upgrades. :)
As you know it is the the same old:
sudo apt update
sudo apt upgrade
But if you have it set to update it’s self then like you say if you need it they should send it. :)
thanks, i did those the other day- im all up to date- but my SSH is still in the affected range it seems-
Well then that is all you can do at this time then. :)
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.