Hi,
I read OpenSSh versions 8.5p1 to 9.8 are vulnerable to a certain type of attack called regreSSHion. First OpenSSh version with fix is said to be 9.8p1 .
Just did an opensuse Tumbleweed update and have
ssh -V
OpenSSH_9.6p1, OpenSSL 3.1.4 24 Oct 2023
Hm, would somebody know, if the opensuse distribution is somehow safe because the scenario for the attack is not met or, if it is not safe, when to expect the update?
-------------------------------------------------------------------
Mon Jul 1 07:50:28 UTC 2024 - Antonio Larrosa <alarrosa@suse.com>
- Add patch to fix a race condition in a signal handler by removing
the async-signal-unsafe code (CVE-2024-6387, bsc#1226642):
* fix-CVE-2024-6387.patch
That’s from the devel repo, and the “fixed” version is on it’s way to Factory.
And yes, lost 32bit restriction out of sight. So 64bit is correctly unpractical, if you like to hack a specific site. It just feels still bad, if someone picks you at random and lands a “lucky punch”. So good to know the fixes are under way. And yes, just checked ssh and not sshd. But checking ssh did not require sudo …