Hi Experts, We are using Alma Linux 8.8 in our software, and we are seeing below vulnerability reported through Nessus Scan(Tenable)
Kindly let us know if there is any solution that you can suggest us to address/mask this vulnerability.
The following Red Hat article has the details including mitigation:
Looks like this vulnerability is officially fixed now in openssh-8.0p1-19.el8_9.2.x86_64.rpm
Correct me if Im wrong, but from what you posted its clear that
openssh 8.7p1-34 is not vulnerable? Im on this version.
As per the below links, I see it is fixed in openssh-8.0p1-19.el8_9.2.x86_64.rpm
You may run Nessus Scan (Tenable) in your environment and confirm the same.
Hi, @wojciechxtx did you rerun the Nessus scan with openssh-8.0p1-19.el8_9.2.x86_64.rpm? Was the vulnerability reported for this version? please confirm
@Gurpreet no I did not run it yet. I have it in my
backlog for today/tonight, so will post results here.
I’m also on Alma 9, trying to figure out the fix for this. I see a fix published for Alma 8:
but I haven’t seen it for Alma 9.
It appears that openssh 8.7p1-34.el9 was published in July https://almalinux.pkgs.org/9/almalinux-baseos-x86_64/openssh-8.7p1-34.el9.x86_64.rpm.html
which is before this CVE, so I assume it’s still not fixed in Alma 9?
@skynet have no idea about
8.7 version; Im on
9.6 (compiled from source by myself) and
Terrapin is no thing for me
Ah ok, I was just going based on what you had installed in that screenshot. Maybe compiling from source is the way to go for now
The screenshot was right at the time of writing. I have since updated
If you want not to be vulnerable to
Terrapin than answer is yes.
PS. Bear in mind that Im on physical server not desktop so there is huge need for my setup not to be vulnerable.
Did a little more research and found what seems like the simplest solution here: security - How do you mitigate the Terrapin SSH attack? - Unix & Linux Stack Exchange
Add this file
cipher@ssh = -CHACHA20*
ssh_etm = 0
update-crypto-policies --set DEFAULT:TERRAPIN
I went with this since I don’t need openssh 9.6 yet