Is addon vulnerable to regreSSHion?

[0anton]

Problem/Motivation

Potentially version is vulnerable to remote code execution as per CVE-2024-6387

 Add-on version: 17.3.0
 You are running the latest version of this add-on.
 System: Debian GNU/Linux 12 (bookworm)  (aarch64 / qemuarm-64)
 Home Assistant Core: 2024.7.1
 Home Assistant Supervisor: 2024.06.2

➜  ~ ssh -V
OpenSSH_9.6p1, OpenSSL 3.1.4 24 Oct 2023

Related to:

addon-ssh/ssh/Dockerfile

Line 59 in 7fd5170

openssh=9.7_p1-r4 \

Currently used ssh version looks updated already, but the addon (18) is not yet released (17.3.0 is reported as latest in HA).

Both latest released and latest unreleased ssh version may be vulnerable:

The vulnerability resurfaces in versions from 8.5p1 up to, but not including, 9.8p1 due to the accidental removal of a critical component in a function.

Source

Expected behavior

We need an assurance that SSH Addon does not ship a vulnerable version of openssh (remote code execution).

Proposed changes

Update openssh package to the latest version.

[frenck]

This is more a support question. Feel free to determine if it is.

Please note, this is not running Debian. This add-on runs Alpine Linux, which is musl-based, not GLIBC.

I was prepping a release though, so should be available soon™️

[corvy]

Yeah I think it is only exploitable on GLIBC.

[frenck]

Yup it is not affected, see also here: https://fosstodon.org/@musl/112711796005712271