I’m running a few Debian stable systems that are up to date on patches.
But I just ran ssh -V and the OpenSSH version listed is “OpenSSH_9.2p1 Debian-2+deb12u3” which as I understand is still vulnerable.
Am I missing something or am I good?
Never mind, found the Debian security bulletin, my version is patched already.
Leaving this here for any other newbies that might be wondering.
Sorry, all!
“oh but Debian only has old stuff” , yeah sure. :P
They patch stuff like this fast because it’s a remote exploit. Local privilege escalation exploits are fixed much slower.
I know, I know, but trust me that a lot of people believe that they don’t issue security patches fast.
LTS means security fixes, but little else if any. good luck if you need a feature that came out a year ago it’s not in the repo yet
That version has been patched.
PoC on 32 bit requires thousands of authentication attempts, so any sane firewall should protect you against it already. Afaik there isnt any for 64 bit