Tiny Core Linux
Tiny Core Extensions => TCE Talk => Topic started by: ovacikar on February 08, 2024, 02:44:31 PM
-
Hello,
Current openssh 9.5p1 appear vulnerable to CVE-2023-48795, I was able to compile openssh 9.6.p1 using the same instructions (except using newest openssl-dev
http://tinycorelinux.net/11.x/x86/tcz/src/openssh/compile_openssh (http://tinycorelinux.net/11.x/x86/tcz/src/openssh/compile_openssh)
Should I start preparing a submission, or the original maintainer (juanito) can rather do it?
-
Why not offload juanito, and submit a extension, he is doing a lot.
-
Well I found out the install did not provide the etc/init.d/openssh script. I can run it from bootlocal.sh using existing keys.
So will need to revisit building a tcz.
-
Hi patrikg
That's up to Juanito to decide, not you.
-
I’m happy to do it, but it’ll be in a couple of weeks time..
-
Was able to fix this with sshd_config update https://terrapin-attack.com/#question-answer (https://terrapin-attack.com/#question-answer)
ciphers aes256-gcm@openssh.com
before:
Remote Banner: SSH-2.0-OpenSSH_9.3
ChaCha20-Poly1305 support: true
CBC-EtM support: false
Strict key exchange support: false
The scanned peer is VULNERABLE to Terrapin.after:
Remote Banner: SSH-2.0-OpenSSH_9.3
ChaCha20-Poly1305 support: false
CBC-EtM support: false
Strict key exchange support: false
The scanned peer supports Terrapin mitigations and can establish
connections that are NOT VULNERABLE to Terrapin. Glad to see this.
For strict key exchange to take effect, both peers must support it.
-
FYI there is another CVE-2024-6387 affecting openssh. It has been fixed 9.8p1
For those in need urgently, the build script http://tinycorelinux.net/11.x/armv6/tcz/src/openssh/ works fine.
-
saw something, said something:
https://www.openssh.com/txt/release-9.9p2