1

Have a fairly vanilla Debian Buster (10) latest stable.

PCI Scan (sysnet/qualsys/worldpay) shows a PCI Compliance = NO vulnerability identified as CVE-2019-16905 https://security-tracker.debian.org/tracker/CVE-2019-16905

It doesn't look like it will be fixed for a while. The solution is to upgrade to OpenSSH 8.3.x (latest) which seems fairly straightforward with this https://www.tecmint.com/install-openssh-server-from-source-in-linux/

ssh -V
OpenSSH_8.3p1, OpenSSL 1.1.1d  10 Sep 2019

Then restarted ssh via sudo /etc/init.d/ssh restart

However, PCI Scan is still showing OpenSSH_7.9p1 Debian-10+deb10u2 even if ssh -V and sudo ssh -V are both showing OpenSSH_8.3p1, OpenSSL 1.1.1d 10 Sep 2019

  • Doing more debugging yields the following but still not sure what is going on

    type -pa ssh /usr/local/bin/ssh <== correct /usr/bin/ssh <== OpenSSH_7.9p1 Debian-10+deb10u2, OpenSSL 1.1.1d 10 Sep 2019 /bin/ssh <== OpenSSH_7.9p1 Debian-10+deb10u2, OpenSSL 1.1.1d 10 Sep 201

  • Doing a sudo apt-get remove openssh-server did not really work (had to log back into using backup console from hosting provider)

  • The /etc/init.d/ssh script is showing something

    # /etc/init.d/ssh: start and stop the OpenBSD "secure shell(tm)" daemon

    test -x /usr/sbin/sshd || exit 0
    ( /usr/sbin/sshd -\? 2>&1 | grep -q OpenSSH ) 2>/dev/null || exit 0

    umask 022

    if test -f /etc/default/ssh; then
        . /etc/default/ssh
    fi

Any insight would be appreciated - thanks!

chicks
  • 3,793
  • 10
  • 27
  • 36
Chris Go
  • 135
  • 1
  • 4
  • That it is designated as vulnerable doesn't make a lot of sense. The feature with the security issue shouldn't even have been built at all. Indeed, if they hadn't enabled it as the notes seem to suggest, then they should be marked as _not vulnerable_. Anyway, I suggest you skip this and backport the package from bullseye. – Michael Hampton Sep 27 '20 at 03:53
  • Thank you for your reply. These scans are fairly coarse-grained (I think they just check the version numbers). Checked the official buster-backports and nothing there so it looks like I will have to do this? https://wiki.debian.org/SimpleBackportCreation ... never done this before and first time I have really heard of "backport the package". More research seems to indicate a 50% chance of success. Does the debian page with the CVE with "vulnerable" indicate that this will not be fixed/patched anytime soon? – Chris Go Sep 28 '20 at 00:18
  • They also rated it as "unimportant" (which is true) so I don't expect them to release a fix if they haven't already done so. Backporting is pretty straightforward and I wouldn't expect any trouble with this particular package. – Michael Hampton Sep 28 '20 at 00:22
  • Some issues with the backport (not as straightforward) on the fakeroot part (`make[1]: *** [debian/rules:121: override_dh_auto_configure-arch] Error 2`) tried with both amd64 and i386 (not sure if x86_64 is a thing). Checked back with PCI scan and they just want me to show evidence that the debian buster package was NOT compiled with the XMSS flag which I don't think is available anywhere as a screenshot (this is from sudo apt-get update openssh-server). That screenshot of it not being set (this is the default for gentoo at least https://security.gentoo.org/glsa/201911-01) – Chris Go Sep 28 '20 at 20:08
  • or perhaps how to get openssh-server to use the compiled (not from backport) that is being displayed by `ssh -V` – Chris Go Sep 28 '20 at 20:34
  • or maybe using apt-pinning https://www.reddit.com/r/debian/comments/f0qo5q/change_sourceslist_temporarily_to_bullseye_and/? Add `deb http://ftp.us.debian.org/debian testing main` to apt sources then doing `apt-get update` and `apt-get -t testing install openssh-server`. Tried this on a test server and seemed to be working but not really sure what other unintended side effects this will have later – Chris Go Sep 28 '20 at 21:01

1 Answers1

0

I know this is a bit old but in case anyone is wondering, I managed to install the backport openssh-8.4p1 to Debian 10 with the following.

sudo echo "deb http://deb.debian.org/debian buster-backports main" >> /etc/apt/sources.list
sudo apt-get update
sudo apt-get install openssh-sftp-server/buster-backports openssh-server/buster-backports

The solution is from here.

Boson Bear
  • 101
  • 1