Qualys made yesterday public this SSH vulnerability.
Debian and Ubuntu already provide patches for this: https://ubuntu.com/security/notices/USN-6859-1
I’ve made an update to gitlab/gitlab-ee:17.1.1-ee.0
but here SSH remains vulnerable:
$ docker exec -it gitlab_web_1 /bin/bash
root@docker-gitlab:/# apt list | grep openssh-server
WARNING: apt does not have a stable CLI interface. Use with caution in scripts.
openssh-server/now 1:8.9p1-3ubuntu0.7 amd64 [installed,local]
root@docker-gitlab:/# grep VERSION /etc/os-release
VERSION_ID="22.04"
VERSION="22.04.4 LTS (Jammy Jellyfish)"
VERSION_CODENAME=jammy
As you can see from Ubuntu’s security notice, the patched version is 1:8.9p1-3ubuntu0.10
but the container runs 1:8.9p1-3ubuntu0.7
which is still vulnerable.
Will there be updates of the docker container with the fixed SSH version in the near future, or do I have to update openssh-server
myself?
In Issues · GitLab.org / GitLab · GitLab I could not find any issue about this, unless I’m looking in the wrong repository.
Thanks.