Hi I have checked the source code and I can confirm that the code pointed to https://security-tracker.debian.org/tracker/CVE-2024-6387 as "introduced with" (https://github.com/openssh/openssh-portable/commit/752250caabda3dd24635503c4cd689b32a650794) is not in the source, and therefore must have been introduced later.
Cheers // Ola On Mon, 1 Jul 2024 at 11:33, Marc SCHAEFER <schae...@alphanet.ch> wrote: > > Hello, > > Regarding https://security-tracker.debian.org/tracker/CVE-2024-6387 > I guess *buster* is not affected either, because it did not > integrate the patchset from 2020? > > I ask this even if buster LTS support stopped ... yesterday. > > I still have one server (upgrading today) which has a fully > accessible SSH server on buster (actually it will be stopped > during the upgrade, and then bullseye is marked non-vulnerable). > > But still, this is a big potential vulnerability, so maybe communicating > on it should be a good idea. > > Have a nice day. > -- --- Inguza Technology AB --- MSc in Information Technology ---- | o...@inguza.com o...@debian.org | | http://inguza.com/ Mobile: +46 (0)70-332 1551 | ---------------------------------------------------------------
