Google is stating, that the system image cos-101-17162-463-55
is not vulnerable to the security vulnerability CVE-2024-6387
but they don't say why.
I'm confused as I've installed cos-101-17162-463-55
:
> cat /etc/os-release
NAME="Container-Optimized OS"
ID=cos
PRETTY_NAME="Container-Optimized OS from Google"
HOME_URL="https://cloud.google.com/container-optimized-os/docs"
BUG_REPORT_URL="https://cloud.google.com/container-optimized-os/docs/resources/support-policy#contact_us"
GOOGLE_METRICS_PRODUCT_ID=26
GOOGLE_CRASH_ID=Lakitu
KERNEL_COMMIT_ID=d650d6e37bc746134b41f3f34a31d4af7d875438
VERSION=101
VERSION_ID=101
BUILD_ID=17162.463.55
But OpenSSH is still on one of the vulnerable versions:
> ssh -V
OpenSSH_8.5p1, OpenSSL 1.1.1v 1 Aug 2023
https://www.openssh.com/txt/release-9.8
says versions 8.5p1 - 9.7p1
are affected.
Did they just apply another patch to fix this without updating ssh
?
I checked grep 'LoginGraceTime' /etc/ssh/sshd_config
which is a patch suggested by Google but it seems that it's not applied.
LoginGraceTime = 0
workaround manually, just in case, but am still confused if the system update should have updatedssh
to version9.8
or not.