OpenSSH CVE-2024-6387

Started by Patrick M. Hausen, July 01, 2024, 12:09:31 PM

Previous topic - Next topic
Print
Go Down Pages 1 2
User actions
July 10, 2024, 06:13:31 AM #15
FreeBSD published updated versions for all supported releases and also for release 13.2 which is already EOL, but they fixed it, anyway.

Supported releases at the moment are: 13.3, 14.0, 14.1.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
July 10, 2024, 08:13:59 AM #16
One thing to note here for clarity is that we do not have OpenSSH in the base system so the advisories do not even apply from that FreeBSD version EoL or not point of view:

https://github.com/opnsense/tools/commit/477358606e

The update will be done via openssh-portable package through the FreeBSD ports tree. Expect the update tomorrow.


Cheers,
Franco
August 03, 2024, 08:38:02 PM #17
Any updates yet? Did this update make it into OpnSense? pfSense handled it right away...
August 03, 2024, 09:29:25 PM #18
Quote from: Hydraulix989 on August 03, 2024, 08:38:02 PM
Any updates yet? Did this update make it into OpnSense? pfSense handled it right away...

Yeah, pfSense handled exactly nothing in the non-paid version except for the upstream documented workaround. Next release will come in a couple of years, maybe.

It's been fixed almost a month ago, not sure what update are you expecting. https://forum.opnsense.org/index.php?topic=41505.0
August 05, 2024, 10:37:03 AM #19
Just to follow up on the previous: Yes, the correct way is to update to OpenSSH 9.8p1, which we did in 24.1.10 on July 11. It's a bit of a shame that allegedly serious issues are patched in a major release, but it is what it is.


Cheers,
Franco
Print
Go Up Pages 1 2
User actions