1 Jul
2024
1 Jul
'24
10:58 a.m.
CVE-2024-6387 details a flaw in OpenSSH that could *potentially* give an
attacker a root shell in "6-8 hours"
It's not in MITRE yet, but Qualys have named it "regreSSHion" and you can
read about it on their site
There's an updated package in Debian already, but it looks like the
information's still embargoed (even the openssh package changelog is
404ing) so I can only *assume* they've fixed it but can't tell anyone yet
(it wasn't on security.debian.org just now either
This is probably an update you don't want to be sleeping on
1 Jul
1 Jul
11:20 a.m.
Thanks a lot for the heads-up! On bookworm, I see an update available, but
run into an openssl dependency issue:
# apt upgrade openssh-server
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Calculating upgrade... Done
Some packages could not be installed. This may mean that you have
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.
The following information may help to resolve the situation:
The following packages have unmet dependencies:
openssh-server : Depends: openssh-client (= 1:9.2p1-2+deb12u3)
Depends: libssl3 (>= 3.0.13) but 3.0.11-1~deb12u2 is to
be installed
E: Broken packages
These are my sources:
# cat /etc/apt/sources.list.d/debian*
#deb http://ftp.debian.org/debian bookworm-backports main
#deb http://deb.debian.org/debian bookworm-backports main
deb http://apt-cacher.lon.bitfolk.com/debian/deb.debian.org/debian/
bookworm-backports main
deb http://apt-cacher.lon.bitfolk.com/debian/ftp.debian.org/debian stable
main contrib non-free non-free-firmware
deb-src http://apt-cacher.lon.bitfolk.com/debian/ftp.debian.org/debian
stable main contrib non-free
deb http://apt-cacher.lon.bitfolk.com/debian/security.debian.org/
stable-security main contrib non-free
deb-src http://apt-cacher.lon.bitfolk.com/debian/security.debian.org/
stable-security main contrib non-free
Any ideas?
I have another VPS running buster, which I note has reached EOL last
night. What absolutely fabulous timing!
https://wiki.debian.org/LTS
On Mon, 1 Jul 2024 at 11:59, Richard Wallman via BitFolk Users <
users(a)mailman.bitfolk.com> wrote:
CVE-2024-6387 details a flaw in OpenSSH that could
*potentially* give an
attacker a root shell in "6-8 hours"
It's not in MITRE yet, but Qualys have named it "regreSSHion" and you can
read about it on their site
There's an updated package in Debian already, but it looks like the
information's still embargoed (even the openssh package changelog is
404ing) so I can only *assume* they've fixed it but can't tell anyone yet
(it wasn't on security.debian.org just now either
This is probably an update you don't want to be sleeping on
_______________________________________________
BitFolk Users mailing list <users(a)mailman.bitfolk.com>
You're subscribed as <bitfolk(a)adamspiers.org>
Unsubscribe: <
https://mailman.bitfolk.com/mailman/postorius/lists/users.mailman.bitfolk.c…
or send an email to
<users-leave(a)mailman.bitfolk.com>
11:44 a.m.
On 1/07/24 23:20, Adam Spiers via BitFolk Users wrote:
Thanks a lot for the heads-up! On bookworm, I see an
update
available, but run into an openssl dependency issue [...]
You may be experiencing cache skew. Either wait 24 hours for Bitfolk's
cache to update, or re-enable deb.debian.org for the time being.
I had no problem updating my home server just now (also bookworm, using
deb.debian.org sources exclusively. (But I'm in New Zealand, your CDN
node may vary.)
I have another VPS running buster, which I note has
reached EOL last
night. What absolutely fabulous timing!
buster contained openssh 7.9; the Qualys advisory says that versions
between 4.4p1 and 8.5p1 are not vulnerable.
https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt
Ross
12:07 p.m.
On Mon, 1 Jul 2024 at 12:45, Ross Younger via BitFolk Users
<users(a)mailman.bitfolk.com> wrote:
Oh great, thanks again!
Wow, what an amazing piece of research and write-up. Wish I had spare
time to read it properly!
On 1/07/24 23:20, Adam Spiers via BitFolk Users wrote:
Thanks, this was it! Although oddly it wasn't enough to avoid
Bitfolk's cache for just security.debian.org; I had to do it for the
main repo too, which then ended up pulling in a whole bunch of updates
which weren't visible before. Very weird.
Thanks a lot for the heads-up! On bookworm, I
see an update
available, but run into an openssl dependency issue [...]
You may be experiencing cache skew. Either wait 24 hours for Bitfolk's
cache to update, or re-enable deb.debian.org for the time being.
I had no problem updating my home server just now (also bookworm, using
deb.debian.org sources exclusively. (But I'm in New Zealand, your CDN
node may vary.) I have another
VPS running buster, which I note has reached EOL last
night. What absolutely fabulous timing!
buster contained openssh 7.9; the Qualys advisory says that versions
between 4.4p1 and 8.5p1 are not vulnerable. 
2 Jul
2 Jul
2:17 p.m.
Hi,
On Mon, Jul 01, 2024 at 11:44:26PM +1200, Ross Younger via BitFolk Users wrote:
On 1/07/24 23:20, Adam Spiers via BitFolk Users
wrote:
Just to note that this shouldn't happen, as we use apt-cacher-ng
which should check if there are newer versions of whatever is
requested.
Also I have installed these updates for bookworm already, through
our apt-cache, so the packages are definitely there on it.
If ever you suspect any issue with our apt-cacher you can just
remove its prefix from the URIs in /etc/apt/sources.list in order to
stop using it.
Thanks,
Andy
--
https://bitfolk.com/ -- No-nonsense VPS hosting
Thanks a lot for the heads-up! On bookworm, I
see an update
available, but run into an openssl dependency issue [...]
You may be experiencing cache skew. Either wait 24 hours for Bitfolk's cache
to update, or re-enable deb.debian.org for the time being. 
1 Jul
1 Jul
11:45 a.m.
I've done the upgrade on a home machine and two servers (one of them a
Bitfolk VPS) without problems, all Debian 12.
Did you do an apt update first?
Also I also always use
apt-get upgrade
without specifying the package name, to make sure to catch everything
that needs upgrading. In this case, openssh-client did need upgrading too.
I subscribe to the Debian security mailing list and get notifications
every two or three days, and I have a script that brings all of them up
to date on one command. Incidents like this show why it's a good idea to
apply updates as soon as possible.
On Mon, Jul 01, 2024 at 12:20:22PM +0100, Adam Spiers via BitFolk Users wrote:
Thanks a lot for the heads-up! On bookworm, I see an
update available, but
run into an openssl dependency issue:
# apt upgrade openssh-server
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Calculating upgrade... Done
Some packages could not be installed. This may mean that you have
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.
The following information may help to resolve the situation:
The following packages have unmet dependencies:
openssh-server : Depends: openssh-client (= 1:9.2p1-2+deb12u3)
Depends: libssl3 (>= 3.0.13) but 3.0.11-1~deb12u2 is to
be installed
E: Broken packages
These are my sources:
# cat /etc/apt/sources.list.d/debian*
#deb http://ftp.debian.org/debian bookworm-backports main
#deb http://deb.debian.org/debian bookworm-backports main
deb http://apt-cacher.lon.bitfolk.com/debian/deb.debian.org/debian/
bookworm-backports main
deb http://apt-cacher.lon.bitfolk.com/debian/ftp.debian.org/debian stable
main contrib non-free non-free-firmware
deb-src http://apt-cacher.lon.bitfolk.com/debian/ftp.debian.org/debian
stable main contrib non-free
deb http://apt-cacher.lon.bitfolk.com/debian/security.debian.org/
stable-security main contrib non-free
deb-src http://apt-cacher.lon.bitfolk.com/debian/security.debian.org/
stable-security main contrib non-free
Any ideas?
I have another VPS running buster, which I note has reached EOL last
night. What absolutely fabulous timing!
https://wiki.debian.org/LTS
On Mon, 1 Jul 2024 at 11:59, Richard Wallman via BitFolk Users <
users(a)mailman.bitfolk.com> wrote:
> CVE-2024-6387 details a flaw in OpenSSH that could *potentially* give an
> attacker a root shell in "6-8 hours"
>
> It's not in MITRE yet, but Qualys have named it "regreSSHion" and you
can
> read about it on their site
>
> There's an updated package in Debian already, but it looks like the
> information's still embargoed (even the openssh package changelog is
> 404ing) so I can only *assume* they've fixed it but can't tell anyone yet
> (it wasn't on security.debian.org just now either
>
> This is probably an update you don't want to be sleeping on
> _______________________________________________
> BitFolk Users mailing list <users(a)mailman.bitfolk.com>
> You're subscribed as <bitfolk(a)adamspiers.org>
> Unsubscribe: <
> https://mailman.bitfolk.com/mailman/postorius/lists/users.mailman.bitfolk.c…
> >
> or send an email to <users-leave(a)mailman.bitfolk.com>
>
_______________________________________________
BitFolk Users mailing list <users(a)mailman.bitfolk.com>
You're subscribed as <anahata(a)treewind.co.uk>
Unsubscribe:
<https://mailman.bitfolk.com/mailman/postorius/lists/users.mailman.bitfolk.com/>
or send an email to <users-leave(a)mailman.bitfolk.com>
--
Anahata
anahata(a)treewind.co.uk -+- http://www.treewind.co.uk
Home: 01535 501017 Mob: 07976 263827
11:54 a.m.
On Mon, Jul 1, 2024 at 12:45 PM Anahata via BitFolk Users <
users(a)mailman.bitfolk.com> wrote:
I subscribe to the Debian security mailing list and
get notifications
every two or three days, and I have a script that brings all of them up
to date on one command. Incidents like this show why it's a good idea to
apply updates as soon as possible.
This is where I mention apticron:
https://packages.debian.org/bookworm/apticron
It doesn't *install* updates for you, but it will tell you when there's
updates to any packages
you have installed. Saves having to log in to servers to check for updates
(especially if you're
looking after a number of servers) and because it only reports on the
installed packages there's
less "noise" to filter out :)
2 Jul
2 Jul
2:20 p.m.
Hi,
On Mon, Jul 01, 2024 at 12:54:59PM +0100, Richard Wallman via BitFolk Users wrote:
This is where I mention apticron:
I use this also.
Thanks,
Andy
--
https://bitfolk.com/ -- No-nonsense VPS hosting
1 Jul
1 Jul
1:01 p.m.
On Mon, Jul 01, 2024 at 12:45:06PM +0100, Anahata via BitFolk Users wrote:
I've done the upgrade on a home machine and two
servers (one of them a
Bitfolk VPS) without problems, all Debian 12.
Did you do an apt update first?
Yep.
Also I also always use
apt-get upgrade
without specifying the package name, to make sure to catch everything
that needs upgrading. In this case, openssh-client did need upgrading too.
I tried that first, and it came up with no actions:
# apt upgrade
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Calculating upgrade... Done
The following packages have been kept back:
openssh-client openssh-server openssh-sftp-server ssh
0 upgraded, 0 newly installed, 0 to remove and 4 not upgraded.
But *why* was it kept back?! This is a good example of how (in my
experience, at least) apt's behaviour is often pretty difficult to
follow. Compare with openSUSE's zypper for example, where its SAT
solver makes for way less cryptic messages, and also provides
different easy-to-understand courses of action to choose from.
That's why I explicitly asked for openssh-server to be upgraded, to
see why it wasn't doing it. Bypassing the Bitfolk cache seemed to do
the trick.
I subscribe to the Debian security mailing list and get
notifications
every two or three days,
Same here, but I'm overwhelmed by email so it's helpful to have
critical updates like this one pointed out on the list.
and I have a script that brings all of them up
to date on one command. Incidents like this show why it's a good idea to
apply updates as soon as possible.
Agreed. I use apticron but it's been misbehaving recently.
3:01 p.m.
On Mon, Jul 01, 2024 at 02:01:31PM +0100, Adam Spiers wrote:
On Mon, Jul 01, 2024 at 12:45:06PM +0100, Anahata via
BitFolk Users wrote:
Didn't mean to insult your intelligence, of course, but it's a mistake I
could make :-)
Did you do an apt update first?
Yep. But *why* was it kept back?!
You can literally ask that question with aptitude (or "why-not")
~$ aptitude why-not openssh-client
Admittedly the answer can still be somewhat cryptic, but it has
solved some puzzles for me.
I use apticron but it's been misbehaving recently.
Not heard of that. Thanks for the tip.
--
Anahata
anahata(a)treewind.co.uk -+- http://www.treewind.co.uk
Home: 01535 501017 Mob: 07976 263827
3:22 p.m.
On Mon, Jul 01, 2024 at 04:01:58PM +0100, Anahata via BitFolk Users wrote:
Very nice tip, thanks!
Now we're even ;-)
On Mon, Jul 01, 2024 at 02:01:31PM +0100, Adam Spiers
wrote:
Don't worry, you didn't ;-)
On Mon, Jul 01, 2024 at 12:45:06PM +0100, Anahata
via BitFolk Users wrote:
Didn't mean to insult your intelligence, of course Did you do an apt update first?
Yep. But *why* was
it kept back?!
You can literally ask that question with aptitude (or "why-not")
~$ aptitude why-not openssh-client
Admittedly the answer can still be somewhat cryptic, but it has
solved some puzzles for me. I use apticron
but it's been misbehaving recently.
Not heard of that. Thanks for the tip.
2 Jul
2 Jul
2:27 p.m.
Hi,
On Mon, Jul 01, 2024 at 04:22:51PM +0100, Adam Spiers via BitFolk Users wrote:
On Mon, Jul 01, 2024 at 04:01:58PM +0100, Anahata via
BitFolk Users wrote:
Did it explain why those packages are held back?
On Debian-like systems, doing "upgrade" won't install completely new
packages that have become dependencies of already-installed ones,
which is why "full-upgrade" and "dist-upgrade" exist. You can
sometimes see things held back for that reason, when using "apt
upgrade".
You also need to do "apt update" regularly to see the availability
of new packages at all.
apticron does the "update" part and emails me about available
upgrades.
Thanks,
Andy
--
https://bitfolk.com/ -- No-nonsense VPS hosting
On Mon, Jul 01, 2024 at 02:01:31PM +0100, Adam
Spiers wrote:
Very nice tip, thanks! But *why* was it kept back?!
You can literally ask that question with aptitude (or "why-not")
~$ aptitude why-not openssh-client
Admittedly the answer can still be somewhat cryptic, but it has
solved some puzzles for me.
1 Jul
1 Jul
1:07 p.m.
On Mon, Jul 01, 2024 at 12:45:06PM +0100, Anahata via BitFolk Users wrote:
I've done the upgrade on a home machine and two
servers (one of them a
Bitfolk VPS) without problems, all Debian 12.
Did you do an apt update first?
Yep.
Also I also always use
apt-get upgrade
without specifying the package name, to make sure to catch everything
that needs upgrading. In this case, openssh-client did need upgrading too.
I tried that first, and it came up with no actions:
# apt upgrade
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Calculating upgrade... Done
The following packages have been kept back:
openssh-client openssh-server openssh-sftp-server ssh
0 upgraded, 0 newly installed, 0 to remove and 4 not upgraded.
But *why* was it kept back?! This is a good example of how (in my
experience, at least) apt's behaviour is often pretty difficult to
follow. Compare with openSUSE's zypper for example, where its SAT
solver makes for way less cryptic messages, and also provides
different easy-to-understand courses of action to choose from.
That's why I explicitly asked for openssh-server to be upgraded, to
see why it wasn't doing it. Bypassing the Bitfolk cache seemed to do
the trick.
I subscribe to the Debian security mailing list and get
notifications
every two or three days,
Same here, but I'm overwhelmed by email so it's helpful to have
critical updates like this one pointed out on the list.
and I have a script that brings all of them up
to date on one command. Incidents like this show why it's a good idea to
apply updates as soon as possible.
Agreed. I use apticron but it's been misbehaving recently.
1:53 p.m.
Adam Spiers said:
The following packages have been kept back:
openssh-client openssh-server
openssh-sftp-server ssh
0 upgraded, 0 newly installed, 0 to remove and 4 not upgraded.
But *why* was it kept back?! This is a good example of how (in my
experience, at least) apt's behaviour is often pretty difficult to
follow.
Ubuntu? It has an annoying habit doing this, with the excuse that they
stage updates so that if there's an issue, only a few people are affected.
Using aptitude to do upgrades gets them ASAP when apt / apt-get talk about
them being held back.
Here, webmin sets up the cron job to check for updates every hour.
Ian
12:25 p.m.
On Mon, Jul 1, 2024 at 11:58 AM Richard Wallman <rwallman0001(a)gmail.com wrote:
it wasn't on security.debian.org just now
It's been added:
https://lists.debian.org/debian-security-announce/2024/msg00135.html
172
days inactive
173
days old
14 comments
7 participants
participants (7)
-
Adam Spiers -
Adam Spiers -
Anahata -
Andy Smith -
Ian -
Richard Wallman -
Ross Younger