Hello,
I'm trying to upgrade OpenSSH to 9.3.p2 on a number of Ubuntu Server 20.04 LTS VMs to avoid the exploit mentioned in CVE-2023-38408.

20.04 LTS seems to come packaged with OpenSSH_8.2p1 Ubuntu-4ubuntu0.3, OpenSSL 1.1.1f 31 Mar 2020.

Manual install of the 9.3p2 .deb packages fail due to dependency errors.

sudo apt upgrade openssh-server and sudo apt upgrade openssh-client both fail due to dependency errors. (My first post. Not sure how to put commands in pretty code boxes.)

I even upgraded a test VM from 20.04 to 22.04 and that got Open SSH to 8.9p1, but apt has no newer version and manual install fails due to dependencies.I'm sure I'm making a novice mistake. Someone please point me in the right direction.

Did you check the Ubuntu CVE Tracker for that specific CVE? https://ubuntu.com/security/

Upgrading to a newer version is the wrong answer.

You actually should be installing the correct version for your release of Ubuntu that is patched to mitigate the vulnerability. Since you are running Ubuntu 20.04, that is likely to be openssh 1:8.2p1-4ubuntu0.8 when the patching is done. It's been triaged as a "Medium" priority (see the CVE tracker), not "High" or "Critical", so there are other CVEs in line ahead of it.

When the patched version is released, it will go into the -security pocket of the Ubuntu repositories. Everybody with Unattended Upgrades (enabled by default on stock Ubuntu systems) will receive the patched version completely automatically.

Then you can verify that you have the patched version installed using a simple "apt list $package_name" or "apt policy $package_name"

Trying to install 9.3.p2 will almost certainly break your system(s) as you have discovered from the many dependency errors. Don't do it. It's the wrong answer.

Ian,
I understand from your reply that Upgrading openSSH to a newer version not effected by the vulnerability is the wrong answer.

I see now I actually should be installing the correct version for my release of Ubuntu that is patched to mitigate the vulnerability in question.

I see from the CVE tracker that the CVE my company rated 24 hours ago as "Must be patched within 72 hours!" does not exist yet for Ubuntu Server 20.04. I get to be a rebel and tell them I will not be compliant!


Thanks.
This was all new information for me. Like I said, I'm an Ubuntu novice.

EDIT: Post withdrawn.

Not sure how a post on the ruby-rack package got mixed in with ssh discussion.

That's disappointing.

Edit: Post withdrawn.

Discussion of Ubuntu Pro was irrelevant (and confusing) since ssh is a Main package. Pro does not apply.

Hi,
the openssh package that solves the CVE-2023-38408 has been released for Jammy: https://packages.ubuntu.com/jammy/openssh-client and for Focal https://packages.ubuntu.com/focal/openssh-client
It seems to be in the Main repository, not in the Universe.
So you can update it with apt.

Hello Ian,

In my case, I was working on 8.2p1 Ubuntu-4ubuntu0.5 and after update/upgrade I'm on ubuntu0.10. I've been checking release notes on https://www.openssh.com/openbsd.html but I can't see any patches applied on this CVE on my current version, only in OpenSSH 9.6 specifies that this CVE has been patched. I've been looking for a while and I'm not finding anything that indicates me if i'm protected or not.

How can I know if my version is patched? At the time i'll simply apply a simple hardening.

I am waiting for your response, thank you!

I'm curious why are you awaiting a response for answering a support question that is not related to Ubuntu nor it's flavors in a dedicated Ubuntu Support Section?

You are asking about that for "OpenBSD", where, using the same logic as explained... Except for your own Distro, your answer is here:
https://www.cvedetails.com/cve/CVE-2023-38408/?q=CVE-2023-38408

Sorry that I cannot provide more information, on an other than Ubuntu Distro, that is also other than Linux, though Linux-like.

I was working on 8.2p1 Ubuntu-4ubuntu0.5 and after update/upgrade I'm on ubuntu0.10.

...

I've been looking for a while and I'm not finding anything that indicates me if i'm protected or not.

Reviewing post #2 in this thread should have led you to https://ubuntu.com/security/CVE-2023-38408, which should answer most common questions.

Though it seems confusing why you would be working on Ubuntu packages while looking at OpenBSD release notes.

@ian-weiser --> "jamespalma6564" does not have Ubuntu. He has OpenBSD. He tagged onto the OP's thread to ask about patching OpenBSD.

I gave him the link to his own Disro's CVE tracker page.

Even though I and other here do use FreeBSD... We (here), do not provide support for OpenBSD.

This is the place for that in this forum: https://ubuntuforums.org/forumdisplay.php?f=171

Or the Security Section of the OpenBSD Forum: https://daemonforums.org/forumdisplay.php?f=15