Automatic Linux Update: OpenSSH CVE-2024-6387
-
Just wanted to know when this CVE will be applied across our Cloudrons:
https://ubuntu.com/security/CVE-2024-6387
I checked after rebooting and the proper version on my 22.04 servers was not installed. FYI, here is how to check:
dpkg-query --show openssh-server
and the proper information for each version of Ubuntu:
Ubuntu 24.04: openssh-server - 1:9.6p1-3ubuntu13.3
Ubuntu 22.04: openssh-server - 1:8.9p1-3ubuntu0.10(I know 24.04 is a future concern, but for anyone with a 24.04 server elsewhere, I thought I would share.)
My 22.04 server is also indicating that 70 updates can be applied, of which 3 are security related (OpenSSH). The time stamp of the last APT update was 2 July 2024 in the afternoon. Why aren't these updates being applied?
Is there a "safe" way to trigger updates within Cloudron or outside? (I did read the warning not to do that!)
-
This is applied by Ubuntu security updates. I just checked one random server of mine and it already updated with a patch. You can check the files in
/var/log/unattended-upgrades/*(https://manpages.ubuntu.com/manpages/bionic/man8/unattended-upgrade.8.html)In
/var/log/unattended-upgrades/unattended-upgrades-dpkg.log, I had:Log started: 2024-07-02 06:22:52 Preconfiguring packages ... Preconfiguring packages ... (Reading database ... 220189 files and directories currently installed.) Preparing to unpack .../openssh-sftp-server_1%3a8.9p1-3ubuntu0.10_amd64.deb ... Unpacking openssh-sftp-server (1:8.9p1-3ubuntu0.10) over (1:8.9p1-3ubuntu0.6) ... Preparing to unpack .../openssh-server_1%3a8.9p1-3ubuntu0.10_amd64.deb ... Unpacking openssh-server (1:8.9p1-3ubuntu0.10) over (1:8.9p1-3ubuntu0.6) ... Preparing to unpack .../openssh-client_1%3a8.9p1-3ubuntu0.10_amd64.deb ... Unpacking openssh-client (1:8.9p1-3ubuntu0.10) over (1:8.9p1-3ubuntu0.6) ... Setting up openssh-client (1:8.9p1-3ubuntu0.10) ... Setting up openssh-sftp-server (1:8.9p1-3ubuntu0.10) ... Setting up openssh-server (1:8.9p1-3ubuntu0.10) ... rescue-ssh.target is a disabled or a static unit not running, not starting it. ssh.socket is a disabled or a static unit not running, not starting it. Processing triggers for man-db (2.10.2-1) ... Processing triggers for ufw (0.36.1-4build1) ... Log ended: 2024-07-02 06:23:14 -
@crazybrad said in Automatic Linux Update: OpenSSH CVE-2024-6387:
My 22.04 server is also indicating that 70 updates can be applied, of which 3 are security related (OpenSSH). The time stamp of the last APT update was 2 July 2024 in the afternoon. Why aren't these updates being applied?
I think the update will happen at some point automatically. You can run it manually with
sudo unattended-upgrade -d -
G girish marked this topic as a question on
-
G girish has marked this topic as solved on
-
@girish I checked this morning and the OpenSSH upgrade happened automatically. That being said, there are 67 updates that have not been applied. For example, iptables (which Cloudron manages). Any idea why these updates would not happen nightly?
-
@crazybrad only security fixes are applied. Other Ubuntu package updates are not managed by Cloudron.
The reason why we don't encourage updating is those ubuntu package updates sometimes do crazy things. They restart services, patch config files and if not paying attention will replace them as well. There is generally no issue with latest package itself, it's the update mechanism which is the problem. Indeed, when you install Cloudron afresh, we always run apt update (this already means that each server is running different package versions).
Given the flakiness of ubuntu packages, we have put a generic warning . You can update them if the message bothers you, but really there is no value in updating (and with the risk of the update doing something to break the system). Cloudron pretty much only uses nginx/collectd from ubuntu repos. Rest all come from containers via docker. docker/node are custom downloaded. Any issue in ssh server and nginx is covered by security updates.
-
@girish So if I understand you correctly, stop looking at system messages when I SSH into my server. Anything that Cloudron uses will be updated by Cloudron. And all security patches will be applied automatically. If I am using other services on my server outside of Cloudron, then that is my responsibility (not doing this now).
Lastly, why aren't updates of "security" related libraries like apparmor and iptables being managed by the Cloudron update process? Are these updates "optional" in the minds of maintainers?
-
@crazybrad yes your understanding is correct there.
For security updates we rely on Ubuntu's process to push those. This means users are not affected by us trying to beat the clock to push updates as Ubuntu would usually be the faster one anyways.
