[go: nahoru, domu]
Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Is addon vulnerable to regreSSHion? #768

Closed
0anton opened this issue Jul 9, 2024 · 3 comments
Closed

Is addon vulnerable to regreSSHion? #768

0anton opened this issue Jul 9, 2024 · 3 comments

Comments

@0anton
Copy link
0anton commented Jul 9, 2024
edited
Loading

Problem/Motivation

Potentially version is vulnerable to remote code execution as per CVE-2024-6387

 Add-on version: 17.3.0
 You are running the latest version of this add-on.
 System: Debian GNU/Linux 12 (bookworm)  (aarch64 / qemuarm-64)
 Home Assistant Core: 2024.7.1
 Home Assistant Supervisor: 2024.06.2

➜  ~ ssh -V
OpenSSH_9.6p1, OpenSSL 3.1.4 24 Oct 2023

Related to:

addon-ssh/ssh/Dockerfile

Line 59 in 7fd5170

openssh=9.7_p1-r4 \

Currently used ssh version looks updated already, but the addon (18) is not yet released (17.3.0 is reported as latest in HA).

Both latest released and latest unreleased ssh version may be vulnerable:

The vulnerability resurfaces in versions from 8.5p1 up to, but not including, 9.8p1 due to the accidental removal of a critical component in a function.

Source

Expected behavior

We need an assurance that SSH Addon does not ship a vulnerable version of openssh (remote code execution).

Proposed changes

Update openssh package to the latest version.
@frenck
Copy link
Member
frenck commented Jul 9, 2024
edited
Loading

This is more a support question. Feel free to determine if it is.

Please note, this is not running Debian. This add-on runs Alpine Linux, which is musl-based, not GLIBC.

I was prepping a release though, so should be available soon™️

@corvy
Copy link
corvy commented Jul 10, 2024

Yeah I think it is only exploitable on GLIBC.

@frenck
Copy link
Member
frenck commented Jul 10, 2024

Yup it is not affected, see also here: https://fosstodon.org/@musl/112711796005712271

@frenck frenck closed this as not planned Won't fix, can't repro, duplicate, stale Jul 10, 2024
@github-actions github-actions bot locked and limited conversation to collaborators Aug 9, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@corvy @frenck @0anton