Critical OpenSSH vulnerability (CVE-2024-6387)

[EricAman]

I received an email from Google about a critical OpenSSH vulnerability (https://cloud.google.com/compute/docs/security-bulletins#gcp-2024-040). Are the VMs running Nightscout affected? If so, is there a fix in the works?

Thanks,

[Navid200]

This is news for me too.

I just logged into my server and created a backup and downloaded it to my computer just in case. This is how you can do that:
https://navid200.github.io/xDrip/docs/Nightscout/DatabaseBackup.html

I then read this from the firm that has reported the issue: https://blog.qualys.com/vulnerabilities-threat-research/2024/07/01/regresshion-remote-unauthenticated-code-execution-vulnerability-in-openssh-server

It shows what SSH versions are vulnerable as :
OpenSSH versions earlier than 4.4p1 are vulnerable to this signal handler race condition unless they are patched for CVE-2006-5051 and CVE-2008-4109.
Versions from 4.4p1 up to, but not including, 8.5p1 are not vulnerable due to a transformative patch for CVE-2006-5051, which made a previously unsafe function secure.

I then checked to see what version of SSH we have by typing the following in a terminal: ssh -V

And got this as my version: OpenSSH_8.2p1

So, we are not vulnerable.

I will continue to read and report what I find.