[<Debian GNU/Linux 10 (buster)>] <Vulnerability in OpenSSH server (CVE-2024-6387)>

[brookerrj]

Describe your issue as much as you can

I'm assuming that the OpenSSH server vulnerability (CVE-2024-6387) is present in Debian GNU/Linux 10 (buster)?
How can I get fixes for this version? Will there be a fix available in the unattended-upgrades for this version?

Versions on my server:

bitnami@wordpress-1-vm:~$ sudo dpkg -l | grep ssh
ii libssh2-1:amd64 1.8.0-2.1+deb10u1 amd64 SSH2 client-side library
ii openssh-client 1:7.9p1-10+deb10u4 amd64 secure shell (SSH) client, for secure access to remote machines

ii openssh-server 1:7.9p1-10+deb10u4 amd64 secure shell (SSH) server, for secure access from remote machines
ii openssh-sftp-server 1:7.9p1-10+deb10u4 amd64 secure shell (SSH) sftp server module, for SFTP access from remote machines
ii ssh 1:7.9p1-10+deb10u4 all secure shell client and server (metapackage)

bitnami@wordpress-1-vm:~$ lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description: Debian GNU/Linux 10 (buster)
Release: 10
Codename: buster

[gongomgra]

Hi @brookerrj,

Thanks for using Bitnami. According to the official Debian website, Debian Buster stopped receiving security updates as of June 30th, 2022. I'm afraid I don't know if Debian Buster is affected by CVE-2024-6387 because it is not listed in the CVE description webpage either. You will need to ask in a more specialized forum for further help on this.

[florence0239]

Describe your issue as much as you can

I'm assuming that the OpenSSH server vulnerability (CVE-2024-6387) is present in Debian GNU/Linux 10 (buster)? How can I get fixes for this version? Will there Official Site be a fix available in the unattended-upgrades for this version?

Versions on my server:

bitnami@wordpress-1-vm:~$ sudo dpkg -l | grep ssh ii libssh2-1:amd64 1.8.0-2.1+deb10u1 amd64 SSH2 client-side library ii openssh-client 1:7.9p1-10+deb10u4 amd64 secure shell (SSH) client, for secure access to remote machines

ii openssh-server 1:7.9p1-10+deb10u4 amd64 secure shell (SSH) server, for secure access from remote machines ii openssh-sftp-server 1:7.9p1-10+deb10u4 amd64 secure shell (SSH) sftp server module, for SFTP access from remote machines ii ssh 1:7.9p1-10+deb10u4 all secure shell client and server (metapackage)

bitnami@wordpress-1-vm:~$ lsb_release -a No LSB modules are available. Distributor ID: Debian Description: Debian GNU/Linux 10 (buster) Release: 10 Codename: buster

Hello,

The OpenSSH server vulnerability (CVE-2024-6387) is a critical issue that affects OpenSSH’s server (sshd) due to a race condition, allowing remote attackers to execute arbitrary code without authentication12.

For Debian GNU/Linux 10 (buster), here are the steps to address this vulnerability:

Check for Updates:
Regularly check the Debian security tracker for updates related to CVE-2024-63871.
Use the following command to update your package list and upgrade your packages
sudo apt update && sudo apt upgrade

Unattended Upgrades:
Ensure that unattended-upgrades is configured to automatically apply security updates. You can install and configure it using:
sudo apt install unattended-upgrades sudo dpkg-reconfigure --priority=low unattended

Best Regards,
florence023

[github-actions]

This Issue has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thanks for the feedback.

[brookerrj]

@florence0239 Thank you for your feedback. I shall try to implement your solution in the next few days. I just need to make sure all is properly backed up first.

[github-actions]

This Issue has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thanks for the feedback.

[github-actions]

Due to the lack of activity in the last 5 days since it was marked as "stale", we proceed to close this Issue. Do not hesitate to reopen it later if necessary.