[Security Issue] hpn-ssh seems be to vulnerable to a critical threat CVE-2024-6387 #87
Comments
IceCodeNew
changed the title
|
We've just been made aware of this but we already had started work on porting to 9.8. I hope to have a release ready by the end of the day but that may slip until tomorrow. |
|
Glad to hear about it. I should not bother to ask ;=) |
|
We've had to change plans and we have backported the fix from 9.8 to the 9.7 code base. This is available in master with the tag hpn-18.4.2. The 9.8 port is taking longer than expected - especially with the packages. We thought this was the best move forward at this time. We will get to 9.8 as soon as we can but the US holiday will delay things. |
|
The debian packages seems missed the release. Would you mind to take a look at it? |
|
I didn't have a chance to get to those yesterday. I will be getting those in place in about an hour. My apologies for the delay. |
|
Debian packages should now be available from https://download.opensuse.org/repositories/home:/rapier1 Functional Ubuntu packages should also be available from the launchpad PPA. |
|
The patched version is confirmed been available on Debian 12, rocky Linux 9.4, Fedora 40, & Ubuntu 22.04 ;-) |
The latest release of the hpn-ssh was based on OpenSSH 9.7, which is vulnerable to the regression of CVE-2006-5051, according to the report
Thought it is worth raising concern about that problem, I wish I did not intervene in the normal process of development.
The text was updated successfully, but these errors were encountered: