Page MenuHomeDevCentral
Create Task
Maniphest T1935

OPENSSH 9.6
Closed, ResolvedPublic
Actions

Description

https://www.it-connect.fr/attaque-terrapin-pres-de-11-millions-de-serveurs-ssh-vulnerables/

OpenSSH 9.6 have a vulnerability issue

List of all the servers that should be updated and/or checked

  • cloudhugger [apt]
  • complector [freebsd-update]
  • db-A-001 [freebsd-update]
  • db-B-001 [freebsd-update]
  • dwellers [mitigation by SSH configuration]
  • docker-002 [mitigation by SSH configuration]
  • hervil [freebsd-update]
  • web-001 [freebsd-update]
  • router-001 [freebsd-update]
  • windriver [freebsd-update]
  • ysul [freebsd-update]

Revisions and Commits

rOPS Nasqueron Operations
D3265rOPS72f249f5686b Disable Terrapin sensible ciphers and algorithms

Event Timeline

DorianWinty created this task.Jan 5 2024, 11:12
Herald added a subscriber: dereckson. · View Herald TranscriptJan 5 2024, 11:12
DorianWinty added a comment.Jan 5 2024, 11:31

salt '*' cmd.run "ssh -V"

cloudhugger:
    OpenSSH_8.4p1 Debian-5+deb11u3, OpenSSL 1.1.1w  11 Sep 2023
windriver:
    OpenSSH_9.5p1, OpenSSL 3.0.12 24 Oct 2023
dwellers:
    OpenSSH_8.7p1, OpenSSL 3.0.7 1 Nov 2022
windriver:
    OpenSSH_9.5p1, OpenSSL 3.0.12 24 Oct 2023
windriver:
    OpenSSH_9.5p1, OpenSSL 3.0.12 24 Oct 2023
docker-002:
    OpenSSH_8.7p1, OpenSSL 3.0.7 1 Nov 2022
hervil:
    OpenSSH_9.3p1, OpenSSL 1.1.1t-freebsd  7 Feb 2023
complector:
    OpenSSH_9.3p1, OpenSSL 1.1.1t-freebsd  7 Feb 2023
db-A-001:
    OpenSSH_9.3p2, OpenSSL 1.1.1t-freebsd  7 Feb 2023
db-B-001:
    OpenSSH_9.3p1, OpenSSL 1.1.1t-freebsd  7 Feb 2023
web-001:
    OpenSSH_9.3p1, OpenSSL 1.1.1t-freebsd  7 Feb 2023
router-001:
    OpenSSH_9.3p1, OpenSSL 1.1.1t-freebsd  7 Feb 2023
ysul:
    Minion did not return. [Not connected]
thrayce:
    Minion did not return. [Not connected]
DorianWinty added a comment.EditedJan 5 2024, 11:45
dereckson added a comment.Jan 5 2024, 12:06

FreeBSD integrates OpenSSH to the base OS.

WindRiver is up-to-date.

For Ysul, we'll upgrade OS to 14.0 too:

Note: While this issue does affect 12.4-STABLE and 12.4-RELEASE, the version
of OpenSSH in 12.4 is old enough the vendor provided patch does not cleanly
apply. As 12.4 goes out of support at the end of December and in order to
quickly get fixes out for 14.0 and 13.2, the FreeBSD Security Team is issuing
this advisory now while feasibility of a 12.4 backport is investigated. Users
with 12.4 are encouraged to either implement the documented workaround or
leverage an up to date version of OpenSSH from the ports/pkg collection.

DorianWinty added a comment.EditedJan 5 2024, 12:32

For Hervil

freebsd-update fetch
freebsd-update install
sudo service sshd restart

Everything is now up to date

DorianWinty updated the task description. (Show Details)Jan 5 2024, 19:55
DorianWinty updated the task description. (Show Details)
dereckson updated the task description. (Show Details)Jan 6 2024, 23:44
dereckson updated the task description. (Show Details)Jan 7 2024, 18:01
dereckson updated the task description. (Show Details)Jan 7 2024, 18:05
DorianWinty shifted this object from the Restricted Space space to the S1 Nasqueron space.Jan 8 2024, 21:11
DorianWinty shifted this object from the S1 Nasqueron space to the Restricted Space space.
DorianWinty changed the visibility from "Nasqueron security operations squad (Project)" to "Public (No Login Required)".
DorianWinty shifted this object from the Restricted Space space to the S1 Nasqueron space.
DorianWinty closed this task as Resolved.Jan 8 2024, 21:13
dereckson added a revision: D3265: Disable Terrapin sensible ciphers and algorithms.Jan 8 2024, 21:54
dereckson added a commit: rOPS72f249f5686b: Disable Terrapin sensible ciphers and algorithms.Jan 8 2024, 21:54
Nasqueron DevCentral · If it had been much bigger the moon would have had a core of ice. · Powered by Phabricator