Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Has this fix been pushed to / pulled by distributions yet?


It's fixed in Debian 12[1]. Debian 11 and earlier's SSH version was not vulnerable.

[1] https://security-tracker.debian.org/tracker/source-package/o...


Fedora: not yet.

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2024-6387 (tracking task)

https://bugzilla.redhat.com/show_bug.cgi?id=2294905 (Fedora 39 issue)


And https://bugzilla.redhat.com/show_bug.cgi?id=2294904 (Fedora 40 issue)

EL 9 is also affected, but not yet released. The tracking task will update as things move along.


Fix pushed in openssh-9.3p1-11.fc39 and (in progress) openssh-9.6p1-1.fc40.4.


Ubuntu's also got patches out for 22.04 LTS, 23.10, and 24.04 LTS. See https://ubuntu.com/security/notices/USN-6859-1.

Amazon Linux 2023 is affected; Amazon Linux 1 & 2 are not. Status updates will be posted to https://explore.alas.aws.amazon.com/CVE-2024-6387.html


Gentoo: update to "net-misc/openssh-9.7_p1-r6" available since ~Mon 1.Jul.2024.

GLSA 202407-09: https://glsa.gentoo.org/glsa/202407-09

Package metadata & log: https://packages.gentoo.org/packages/net-misc/openssh


SUSE has the fixes under testing. I assume you could install them directly from OBS. I have not tried because I have no exposed system. https://www.suse.com/security/cve/CVE-2024-6387.html




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: