wally.nl

There is something fishy going on with sshd versioning anyway. ssh -v <my_nas> shows version 9.3: debug1: Remote protocol version 2.0, remote software version OpenSSH_9.3 debug1: compat_banner: match: OpenSSH_9.3 pat OpenSSH* compat 0x04000000 on unraid ssh -V shows the same 9.3 version: # sshd -V OpenSSH_9.3, OpenSSL 1.1.1v 1 Aug 2023 but using an unknown parameter displays the patched version? # sshd -v unknown option -- v OpenSSH_9.3p2, OpenSSL 1.1.1v 1 Aug 2023

I'm new to unraid but couldn't find an answer quickly searching the forum. I've scanned my new unraid build with outpost24 and it found one critical issue (CVE 2023-38408) which could be fixed by updating sshd. Usually something like this would be fixed with a simple yum or apt update but although it's fairly easy and straightforward to update the docker containers on unraid I can't find how to update the unraid OS packages. Vulnerability Information: The PKCS#11 feature in ssh-agent in OpenSSH has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009. Solution: Upgrade to version 9.4 or later of OpenSSH. Category: Update Product: OpenSSH CVE: CVE-2023-38408 Bugtraq: No bugtraq