lf-edge
pkg/debug: update openssh to version 9.8p1
according to https://fosstodon.org/@musl/112711796005712271 it should "only" be a deadlock for us
for more information about CVE-2024-6387 see also https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt
FWIW, here is an example on how to build Alpine packages from Dockerfile: https://github.com/lf-edge/eve/blob/master/pkg/cross-compilers/Dockerfile
Any indication when Alpine might have a fix?
Hard to say. I fear that for alpine 3.16 there will not be an update for openssh - but we're already using some packages from newer versions. Last update for openssh was in April - https://pkgs.alpinelinux.org/packages?name=openssh&branch=edge&repo=&arch=&maintainer= .
Any indication when Alpine might have a fix?
Hard to say. I fear that for alpine 3.16 there will not be an update for openssh - but we're already using some packages from newer versions. Last update for openssh was in April - https://pkgs.alpinelinux.org/packages?name=openssh&branch=edge&repo=&arch=&maintainer= .
@christoph-zededa , you can try to build the latest package from edge, the one I pointed in the comments... it's using 9.7p1 but you can try to bump to 9.8p1...
@rene
FWIW, here is an example on how to build Alpine packages from Dockerfile: https://github.com/lf-edge/eve/blob/master/pkg/cross-compilers/Dockerfile
But they didn't update the version in their git repository either ... I see:
> git log --pretty=format:"%h%x09%an%x09%ad%x09%s" ./main/openssh | head
e4bc62018e1 Sören Tempel Thu Apr 4 07:16:38 2024 +0200 main/openssh: enable check() again
b34d5a41ca0 Sören Tempel Mon Apr 1 01:09:16 2024 +0200 main/openssh: remove fix-verify-dns-segfault.patch
924e8ad166b Sören Tempel Mon Apr 1 17:42:32 2024 +0200 main/openssh: remove zero-call-used-regs_all.patch
36d9b553d84 Sören Tempel Mon Apr 1 01:53:48 2024 +0200 main/openssh: remove gss-serv.c.patch
b544dbe9982 Sören Tempel Mon Apr 1 06:18:58 2024 +0200 main/openssh: remove sftp-interactive.patch
305d0655aa8 Andy Postnikov Wed Mar 13 07:58:30 2024 +0100 main/openssh: upgrade to 9.7_p1
ec1af78e994 omni Mon Dec 18 23:46:08 2023 +0000 main/openssh: security upgrade to 9.6p1
978509f17cd Milan P. Stanić Wed Oct 4 14:30:28 2023 +0000 main/openssh: upgrade to 9.5_p1
a78e32f046f Milan P. Stanić Thu Aug 10 20:16:53 2023 +0000 main/openssh: upgrade to 9.4_p1
4b4cd657e54 Arnav Singh Thu Aug 10 09:56:18 2023 -0700 main/openssh: fix init.d script to also look in sshd_config.d/*.conf
@rene
FWIW, here is an example on how to build Alpine packages from Dockerfile: https://github.com/lf-edge/eve/blob/master/pkg/cross-compilers/Dockerfile
But they didn't update the version in their git repository either ... I see:
> git log --pretty=format:"%h%x09%an%x09%ad%x09%s" ./main/openssh | head e4bc62018e1 Sören Tempel Thu Apr 4 07:16:38 2024 +0200 main/openssh: enable check() again b34d5a41ca0 Sören Tempel Mon Apr 1 01:09:16 2024 +0200 main/openssh: remove fix-verify-dns-segfault.patch 924e8ad166b Sören Tempel Mon Apr 1 17:42:32 2024 +0200 main/openssh: remove zero-call-used-regs_all.patch 36d9b553d84 Sören Tempel Mon Apr 1 01:53:48 2024 +0200 main/openssh: remove gss-serv.c.patch b544dbe9982 Sören Tempel Mon Apr 1 06:18:58 2024 +0200 main/openssh: remove sftp-interactive.patch 305d0655aa8 Andy Postnikov Wed Mar 13 07:58:30 2024 +0100 main/openssh: upgrade to 9.7_p1 ec1af78e994 omni Mon Dec 18 23:46:08 2023 +0000 main/openssh: security upgrade to 9.6p1 978509f17cd Milan P. Stanić Wed Oct 4 14:30:28 2023 +0000 main/openssh: upgrade to 9.5_p1 a78e32f046f Milan P. Stanić Thu Aug 10 20:16:53 2023 +0000 main/openssh: upgrade to 9.4_p1 4b4cd657e54 Arnav Singh Thu Aug 10 09:56:18 2023 -0700 main/openssh: fix init.d script to also look in sshd_config.d/*.conf
See https://github.com/lf-edge/eve/pull/4042#issuecomment-2202541360
There is a ticket from @famleebob https://github.com/lf-edge/eve/issues/3994 regarding alpine upgrade. Any chances 3.20 alpine has fresh updates? So we can close two things at the same time.
Also cc @shjala
There is a ticket from @famleebob #3994 regarding alpine upgrade. Any chances 3.20 alpine has fresh updates? So we can close two things at the same time.
Also cc @shjala
@rouming that would be great, but I it seems they didn't update it: https://github.com/lf-edge/eve/pull/4042#issuecomment-2202547072
I also found sshd service starting with SOME docker-compose file: https://github.com/lf-edge/eve/blob/0ee051623dcc26176c82ad012a8f29ca35fbbd9f/docker-compose.yml#L174 Do we know if the file is used by any part of the system?...
I also found sshd service starting with SOME docker-compose file:
https://github.com/lf-edge/eve/blob/0ee051623dcc26176c82ad012a8f29ca35fbbd9f/docker-compose.yml#L174
Do we know if the file is used by any part of the system?...
@OhmSpectator , this file is used for make run-compose , which aims to "run all EVE microservices via docker-compose deployment"... TBH I don't know if this is being in use somewhere....
@christoph-zededa , I still wondering about this patch:
- https://git.alpinelinux.org/aports/tree/main/openssh/fix-utmp.patch : I just found this reference for the define: https://github.com/dougEfresh/sshd-passwd-pot/commit/82277771801ec67844a6c060f10739049d41a645 , are you sure we don't need this change in the define? It looks like it's a musl specific because of utmp/utmpx implementation...
TOOMANYREQUESTS: You have reached your pull rate limit. You may increase the limit by authenticating and upgrading: https://www.docker.com/increase-rate-limit :-(
TOOMANYREQUESTS: You have reached your pull rate limit.
We should replace this message with something like "NO MORE BUILDS, FEIERABEND!"
TOOMANYREQUESTS: You have reached your pull rate limit.
We should replace this message with something like "NO MORE BUILDS, FEIERABEND!"
Maybe this will help: https://github.com/lf-edge/eve/pull/4043
Should this be also backported to LTS versions, i.e. have the "stable" label?