Latest docker images are still vulnerable to regreSSHion

Qualys made yesterday public this SSH vulnerability.

Debian and Ubuntu already provide patches for this: https://ubuntu.com/security/notices/USN-6859-1

I’ve made an update to gitlab/gitlab-ee:17.1.1-ee.0 but here SSH remains vulnerable:

$ docker exec -it gitlab_web_1 /bin/bash

root@docker-gitlab:/# apt list | grep openssh-server

WARNING: apt does not have a stable CLI interface. Use with caution in scripts.

openssh-server/now 1:8.9p1-3ubuntu0.7 amd64 [installed,local]

root@docker-gitlab:/# grep VERSION /etc/os-release 
VERSION_ID="22.04"
VERSION="22.04.4 LTS (Jammy Jellyfish)"
VERSION_CODENAME=jammy

As you can see from Ubuntu’s security notice, the patched version is 1:8.9p1-3ubuntu0.10 but the container runs 1:8.9p1-3ubuntu0.7 which is still vulnerable.

Will there be updates of the docker container with the fixed SSH version in the near future, or do I have to update openssh-server myself?

In Issues · GitLab.org / GitLab · GitLab I could not find any issue about this, unless I’m looking in the wrong repository.

Thanks.

It’s the correct place. I would suggest opening an issue there to make the Devs aware of it (since they don’t tend to read forum posts), so that they can work on fixing their container image - although if it’s based on Debian/Ubuntu for example, they would just need to pull a new base image and all would work without too much effort.

I’ve opened an issue for this: Current docker image gitlab/gitlab-ee:17.1.1-ee.0 is still vulnerable to regreSSHion (#470184) · Issues · GitLab.org / GitLab · GitLab