Author Topic: OpenSSH CVE-2024-6387 (Read 5297 times)

Patrick M. Hausen · « **Reply #15 on:** July 10, 2024, 06:13:31 am »

FreeBSD published updated versions for all supported releases and also for release 13.2 which is already EOL, but they fixed it, anyway.

Supported releases at the moment are: 13.3, 14.0, 14.1.

franco · « **Reply #16 on:** July 10, 2024, 08:13:59 am »

One thing to note here for clarity is that we do not have OpenSSH in the base system so the advisories do not even apply from that FreeBSD version EoL or not point of view:

https://github.com/opnsense/tools/commit/477358606e

The update will be done via openssh-portable package through the FreeBSD ports tree. Expect the update tomorrow.

Cheers,
Franco

Hydraulix989 · « **Reply #17 on:** August 03, 2024, 08:38:02 pm »

Any updates yet? Did this update make it into OpnSense? pfSense handled it right away...

doktornotor · « **Reply #18 on:** August 03, 2024, 09:29:25 pm »

Quote from: Hydraulix989 on August 03, 2024, 08:38:02 pm

Any updates yet? Did this update make it into OpnSense? pfSense handled it right away...

Yeah, pfSense handled exactly nothing in the non-paid version except for the upstream documented workaround. Next release will come in a couple of years, maybe.

It's been fixed almost a month ago, not sure what update are you expecting. https://forum.opnsense.org/index.php?topic=41505.0

franco · « **Reply #19 on:** August 05, 2024, 10:37:03 am »

Just to follow up on the previous: Yes, the correct way is to update to OpenSSH 9.8p1, which we did in 24.1.10 on July 11. It's a bit of a shame that allegedly serious issues are patched in a major release, but it is what it is.

Cheers,
Franco

Author Topic: OpenSSH CVE-2024-6387 (Read 5297 times)

Patrick M. Hausen

Re: OpenSSH CVE-2024-6387

franco

Re: OpenSSH CVE-2024-6387

Hydraulix989

Re: OpenSSH CVE-2024-6387

doktornotor

Re: OpenSSH CVE-2024-6387

franco

Re: OpenSSH CVE-2024-6387