AIX Open Source

 View Only
  • 1.  ssh 9.7

    Posted Wed April 17, 2024 12:16 PM

    recently we received vulnerability regarding to ssh and update tp 9.7 is required. 

    i can find only version 9.2  

    any help 



    ------------------------------
    Mohamed Gaber
    ------------------------------


  • 2.  RE: ssh 9.7

    Posted Wed April 17, 2024 12:44 PM
    On Wed, Apr 17, 2024 at 04:15:34PM +0000, Mohamed Gaber via IBM TechXchange Community wrote:
    > recently we received vulnerability regarding to ssh and update tp 9.7 is required.
    >
    > i can find only version 9.2

    I'd be curious too!

    OpenSSH is supposed to be covered by AIX support, not the open source
    toolkit. This may be the wrong community. You may have to file a
    support ticket.

    I've posted separately about IBM distributing unsigned SSH
    packages outside the normal distribution channels for the core OS via
    a marketing website. That causes me great concern.

    I'm evaluating our upgrade to 7200-05-07 now, and while OpenSSL has
    been updated to v3, OpenSSH is still on 8 when the marketing site has
    9.2 and there are newer versions upstream like 9.7.

    Please let us know where you find an authentic IBM supported update.

    ------------------------------------------------------------------
    Russell Adams Russell.Adams@AdamsSystems.nl
    Principal Consultant Adams Systems Consultancy
    https://adamssystems.nl/




  • 3.  RE: ssh 9.7

    Posted Thu April 18, 2024 04:47 PM

    Thanks for this information, I share the same concerns. I have logged an IBM case for this issue, and will try to share any meaningful feedback that they provide.



    ------------------------------
    Niël Lambrechts
    ------------------------------



  • 4.  RE: ssh 9.7

    Posted Fri April 19, 2024 02:02 AM
    Edited by Sandeep Umesh Wed April 24, 2024 04:01 AM

    Hello

    Current supported versions of openssh on AIX-Power are 8.1p1 and 9.2p1. AIX team ensures that the fix for any vulnerability reported on higher versions is backported onto these supported versions.

    OpenSSH 9.2p1 is planned to part of AIX base image from Fall 2024 releases onwards.

    Later, we plan to start an update to openSSH 9.7 or the corresponding latest version in late Q4 2024.

    Thanks

    Sandeep Umesh

    AIX Opensource Security



    ------------------------------
    Sandeep Umesh
    ------------------------------



  • 5.  RE: ssh 9.7

    Posted Tue April 23, 2024 03:10 AM

    The fourth quarter of 2024? Now the vulnerability on sos is upgraded to 9.3, the deadline is May 19th, the vulnerability level is urgent, it is too late.



    ------------------------------
    De Quan Qu
    ------------------------------



  • 6.  RE: ssh 9.7

    Posted Wed April 24, 2024 02:46 AM

    Hello @De Quan Qu !

    I´ve shown my Vulnerability Management Team the reasoning, the version according to "lslpp -l" and the efixes via "emgr -l" and the advisories published by IBM and they got it that, although 9.2 is reported, this is a maintained and fixed version of th 9.2 code, so they accepted the risk.

    If your "SOS" only looks at version numbers you will encounter this problem more often with long term support software, f.e. we´re using Adoptium Temurin Java 11 (LTS release) and checks only for higher versions would not be correct.

    HTH,

    With kind regards,

    Stephan Dietl



    ------------------------------
    Stephan Dietl
    ------------------------------



  • 7.  RE: ssh 9.7

    IBM Champion
    Posted Wed April 24, 2024 03:54 AM

    AIX team ensures that any vulnerability reported on higher versions is backported

    I hope you don't do what you wrote :-) You don't back port vulnerabilities but fixes.



    ------------------------------
    Andrey Klyachkin

    https://www.power-devops.com
    ------------------------------



  • 8.  RE: ssh 9.7

    Posted Wed April 24, 2024 04:03 AM

    typo, rectified..:)

    Thanks

    Regards

    Sandeep Umesh

    AIX Opensource Security



    ------------------------------
    Sandeep Umesh
    ------------------------------