Is it okay to update SSH
-
Hey there,
I know the Cloudron guides typically recommend for one to never run updates, and to let Cloudron handle it.
Does that include updates for SSH generally? Reason being I know there's been a few CVEs for SSH, and my SSH version is looking... not as new as I think it probably should be.
Just thought I'd ask before doing something potentially destructive :).
-
For security updates of Ubuntu packages, we relay on Ubuntu updates, which are applied automatically. For other updates, we do not support those as Cloudron needs specific versions of some packages to work reliably.
Which CVEs, Ubuntu and SSH versions are you talking about?
At least Cloudron does not rely on a specific SSH version, so as long as that does not also pull in other updates, that should be fine, but still curious why Ubuntu would not deem that as important security updates then.
-
N nebulon marked this topic as a question
-
@nebulon Sorry about the late reply. Yeah... that's what's confusing me too.
When I run
lsb_release -a, I get that I'm on Ubuntu 20.04 LTS, which should still be supported just fine (it's supported for another couple of months).When I run
ssh -v, I getOpenSSH_8.2p1 Ubuntu-4ubuntu0.11, OpenSSL 1.1.1f 31 Mar 2020which doesn't seem like it's updated (I think the newest is 9.2p1).There's apparently been a few CVEs still open for that SSH version if I'm understanding correctly. Like for example, the following:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41617
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28041
(I don't know that these necessarily apply to Cloudron... for example, it's not a 'legacy operating system'... but I still think it is wise to ask why the SSH version number didn't jump I guess?)Now I could very much see myself just missing on something important... perhaps Ubuntu LTS applies patches to SSH without bumping the number version... or perhaps that isn't the correct command to get the number version... or something else. I might be missing something here. Sorry if I am.
-
As far as I understand those CVEs they are not relevant in that context. For the first, we don't use those affected configs and the second is for the ssh-agent.
Given that the Ubuntu team usually knows what they do and are working closely together with upstream projects, there seems no need here to go beyond their recommendations of versions they push out via security updates.