2

I've seen in a blog that Ubuntu released a fix for the RegreSSHion vulnerability. But I'm confused about getting those fixed patches to my system.

Currently, I've installed Ubuntu 22.04 on my Surface, but I'm not able to get the fix even after performing apt update and multiple reboots.

Kindly suggest—is there any other process that I need to follow?

The blog I've referred to: https://ubuntu.com/blog/ubuntu-regresshion-security-fix

The patch released: https://launchpad.net/ubuntu/+source/openssh/1:8.9p1-3ubuntu0.10

Community
  • 1
abhi
  • 53

2 Answers2

2

Typically, fixes like that are distributed in the routine package updates. So if you keep your packages up to date (which is a good idea in most cases anyway), you should have the fix.

If you want to check which package version(s) you exactly need, you can look that up. The blog article you mentioned links in the first paragraph to the corresponding entry in Ubuntu Security. There, you can check under "Status" which versions of which source code packages you need. For Ubuntu 22.04 LTS Jammy Jellyfish, you look for "Jammy":

Package openssh, jammy, Released (1:8.9p1-3ubuntu0.10)
Package openssh-ssh1, jammy, Not vulnerable (introduced in v8.5p1)

So for this, you only need to worry about any binary packages built from the source package openssh (if you have installed anything related to OpenSSH 1.x in the first place).

To find out which binary packages that are, the Ubuntu Security package conveniently links a search to the Ubuntu packages list, under the keyword "Ubuntu". For the source package openssh, that would be this search.

There again, you can look for your distribution version, being Jammy. This shows you that from the source package openssh, the following binary packages are built:

openssh-client, openssh-server, openssh-sftp-server, openssh-tests, ssh, ssh-askpass-gnome

Each of those is a link to the respective package in the packages list. So you can look up there which is the newest version. Typically, the naming will follow the source package, so you'll be looking for openssh-client 1:8.9p1-3ubuntu0.10, openssh-server 1:8.9p1-3ubuntu0.10 and so forth. You can check with apt policy which package in which version you have currently installed, for example apt policy openssh-client, apt policy openssh-server etc.

In case any of those packages are still on outdated versions, you can update them with apt upgrade. But as I mentioned above, if you do you routine package updates, those should already have been handled. Of course, you only need to update packages that you're actually using, so if for example you don't have openssh-tests installed, you don't need to upgrade it to any newer version.

As a side remark just in case: If you installed anything OpenSSH-related yourself outside of the Ubuntu package system, for example by compiling it yourself, you're responsible for that yourself. The Ubuntu package system can't help you with those cases.

Henning Kockerbeck
  • 8,502
1

As mentioned in the comments, sudo apt update only updates your list of packages and does not perform any updates.

To update the software on your system, run the following command only after you run sudo apt update:

sudo apt upgrade

or

sudo apt full-upgrade

if you aren't running in production. That should upgrade all existing packages where an update is available.

According to the blog post you referenced, you should've run the following as a single command:

sudo apt update && sudo apt install openssh-server

According to the Ubuntu security notices webpage, a patched version for Ubuntu Jammy (22.04) was released as version 1:8.9p1-3ubuntu0.10

Run:

dpkg -l | grep openssh

to view the version currently installed on your system.

Also, the openssh-ssh1 package appears to be not vulnerable according to the security notice:

Not vulnerable (introduced in v8.5p1)

A mitigation is listed along with the security notice. However, the mitigation is not necessary if you have updated to the latest version.

RedHat provides more detailed information about applying the mitigation if you are still using a vulnerable version.

mchid
  • 44,904
  • 8
  • 102
  • 162