Hi,
what is the upgrade command to upgrade OpenSSH to version 7.0 because of security risk with an older version?
I have Raspbian Jessie OS:
Version source: SSH-2.0-OpenSSH_6.7p1 Raspbian-5+deb8u3
Installed version: 6.7p1
Security fixed version: 7.0
Thanx,
Faramon
Re: OpenSSH Upgrade
Security fixes are backported. No need to upgrade to a newer version.
Minimal Kiosk Browser (kweb)
Slim, fast webkit browser with support for audio+video+playlists+youtube+pdf+download
Optional fullscreen kiosk mode and command interface for embedded applications
Includes omxplayerGUI, an X front end for omxplayer
Slim, fast webkit browser with support for audio+video+playlists+youtube+pdf+download
Optional fullscreen kiosk mode and command interface for embedded applications
Includes omxplayerGUI, an X front end for omxplayer
Re: OpenSSH Upgrade
Ok,
I report my own web on Raspberry pi to a security online scaner and it reports me this for SSH what have reported as problem.
Today, I have received a email from them with this security issue and they suggest me to upgrade to SSH v7.0.
Faramon
I report my own web on Raspberry pi to a security online scaner and it reports me this for SSH what have reported as problem.
Today, I have received a email from them with this security issue and they suggest me to upgrade to SSH v7.0.
Faramon
Re: OpenSSH Upgrade
Did they say why? Which CVE they think you are vulnerable to?faramon wrote:Ok,
I report my own web on Raspberry pi to a security online scaner and it reports me this for SSH what have reported as problem.
Today, I have received a email from them with this security issue and they suggest me to upgrade to SSH v7.0.
They only check the main version number of your SSH server and are too lazy to bother about the fact that Debian (and therefore Raspbian) always backport all security fixes to their current versions of software.
That's what the "+deb8u3" on the end of the file name means.
Ignore them.
-
fruitoftheloom
- Posts: 23337
- Joined: Tue Mar 25, 2014 12:40 pm
- Location: Delightful Dorset
Re: OpenSSH Upgrade
OpenSSH 6.7p1-5+deb8u3 was released 3 months ago (21st July):
http://metadata.ftp-master.debian.org/c ... _changelog
The latest Debian Stretch OpenSSH 7.3p1-1 was released 7th August, so I would surmise nothing to be gained from version 7 at this time
http://metadata.ftp-master.debian.org/c ... _changelog
The latest Debian Stretch OpenSSH 7.3p1-1 was released 7th August, so I would surmise nothing to be gained from version 7 at this time
Rather than negativity think outside the box !
RPi 4B 4GB (SSD Boot)..
Asus ChromeBox 3 Celeron is my other computer...
RPi 4B 4GB (SSD Boot)..
Asus ChromeBox 3 Celeron is my other computer...
Re: OpenSSH Upgrade
I have NGINX web server installed on my Raspberry Pi.
I receive this and I think it is about open port 22 for FTP connection (I have done port forward to 22, 5901, 80):
High risk vulnerabilities results:
1. OpenSSH Running Version Prior to 7.0 (High)
Port: ssh (22/tcp)
Summary:
The kbdint_next_device function in auth2-chall.c in sshd in OpenSSH through 6.9 does not properly restrict the processing of keyboard-interactive devices within a single connection, which makes it easier for remote attackers to conduct brute-force attacks or cause a denial of service (CPU consumption) via a long and duplicative list in the ssh -oKbdInteractiveDevices option, as demonstrated by a modified client that provides a different password for each pam element on this list.
Version source: SSH-2.0-OpenSSH_6.7p1 Raspbian-5+deb8u3
Installed version: 6.7p1
Fixed version: 7.0
Recommended Solution:
Upgrade to OpenSSH version 7.0 or newer.
CVE: CVE-2015-5600
There are also two medium risks:
1. Web Application Cookies Lack Secure Flag (Medium)
2. Web Application Cookies Lack HttpOnly Flag (Medium
Both for Port: http (80/tcp)
and one Low risk:
1. VNCviewer in Listen Mode Detection (Low)
Port: vnc-1 (5901/tcp)
Is my web server susceptible to security vulnerabilities?
Thanx,
Faramon
I receive this and I think it is about open port 22 for FTP connection (I have done port forward to 22, 5901, 80):
High risk vulnerabilities results:
1. OpenSSH Running Version Prior to 7.0 (High)
Port: ssh (22/tcp)
Summary:
The kbdint_next_device function in auth2-chall.c in sshd in OpenSSH through 6.9 does not properly restrict the processing of keyboard-interactive devices within a single connection, which makes it easier for remote attackers to conduct brute-force attacks or cause a denial of service (CPU consumption) via a long and duplicative list in the ssh -oKbdInteractiveDevices option, as demonstrated by a modified client that provides a different password for each pam element on this list.
Version source: SSH-2.0-OpenSSH_6.7p1 Raspbian-5+deb8u3
Installed version: 6.7p1
Fixed version: 7.0
Recommended Solution:
Upgrade to OpenSSH version 7.0 or newer.
CVE: CVE-2015-5600
There are also two medium risks:
1. Web Application Cookies Lack Secure Flag (Medium)
2. Web Application Cookies Lack HttpOnly Flag (Medium
Both for Port: http (80/tcp)
and one Low risk:
1. VNCviewer in Listen Mode Detection (Low)
Port: vnc-1 (5901/tcp)
Is my web server susceptible to security vulnerabilities?
Thanx,
Faramon
Re: OpenSSH Upgrade
Reading the Debian notes for that CVE https://security-tracker.debian.org/tra ... -2015-5600 the openssh package has not been patched because the vulnerability only affects systems that have KbdInteractiveAuthentication set to "yes". The Debian and Raspbian packages have that set to "no" as default, therefore it is safe unless you change that setting yourself.
I think you're safe enough
I think you're safe enough
Re: OpenSSH Upgrade
Thanx.
Faramon
Faramon