Critical OpenSSH Vulnerability (CVE-2024-6387) – How to Fix on Debian / HestiaCP

What is the vulnerability?

CVE-2024-6387, also known as regreSSHion, is a critical vulnerability in the OpenSSH server that may allow remote unauthenticated code execution as root on Linux systems using glibc.

Affected versions include:

• OpenSSH 8.5p1 through 9.7p1

Any server with SSH exposed to the internet is at high risk.

How to check your current OpenSSH version

Run on the server:

ssh -V

If the version is lower than 9.8p1, your system must be updated.

Fix on Debian 12 (Bookworm) using Backports

Debian provides the fix via backports, which is the recommended and safe approach, without upgrading the OS.

Add the backports repository

echo "deb http://deb.debian.org/debian bookworm-backports main" | sudo tee /etc/apt/sources.list.d/backports.list

Update package lists

sudo apt update

Check the fixed version availability

apt-cache policy -t bookworm-backports openssh-server

You should see OpenSSH 9.8p1 or newer.

Upgrade OpenSSH (server and client)

sudo apt -t bookworm-backports install openssh-server openssh-client

Validate SSH configuration (important)
Before restarting the service:

sudo sshd -t

If there is no output, the configuration is valid.

Confirm the installed version

ssh -V

Expected output example:

OpenSSH_10.0p2

There is no need to upgrade using backports, that vulnerability is already fixed in current versions.

Vulnerable and fixed packages

More info:

Thank you for the clarification.
I wasn’t aware that the Debian patch already addressed the issue at the time.
I updated via backports as a precaution, and everything is working fine and stable.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.