CVE-202128041 Vulnerability in Cents7 (7.6.1810)

Support for security such as Firewalls and securing linux
Post Reply
mania
Posts: 49
Joined: 2020/12/19 05:55:37

CVE-202128041 Vulnerability in Cents7 (7.6.1810)

Post by mania » 2021/03/16 07:52:12

Hi,
I did not find any related link or topic about CVE-202128041 in Redhat website. I would be appreciated if somebody tell me whether centos7 is vulnerable? How can I mitigate?


User avatar
TrevorH
Site Admin
Posts: 33191
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: CVE-202128041 Vulnerability in Cents7 (7.6.1810)

Post by TrevorH » 2021/03/16 10:21:37

7.6 is unsupported and has been since the release of 7.7 in mid 2019.

yum update
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

mania
Posts: 49
Joined: 2020/12/19 05:55:37

Re: CVE-202128041 Vulnerability in Cents7 (7.6.1810)

Post by mania » 2021/03/16 11:05:27

thank for your reply. I sounds a blank page. is not it?

mania
Posts: 49
Joined: 2020/12/19 05:55:37

Re: CVE-202128041 Vulnerability in Cents7 (7.6.1810)

Post by mania » 2021/03/16 11:06:23

TrevorH wrote:
2021/03/16 10:21:37
7.6 is unsupported and has been since the release of 7.7 in mid 2019.

yum update
I think it does not talk about even supported version.

mania
Posts: 49
Joined: 2020/12/19 05:55:37

Re: CVE-202128041 Vulnerability in Cents7 (7.6.1810)

Post by mania » 2021/03/16 11:26:24

TrevorH wrote:
2021/03/16 10:21:37
7.6 is unsupported and has been since the release of 7.7 in mid 2019.

yum update
Is it possible to install openssh 8.5 without internet access?

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: CVE-202128041 Vulnerability in Cents7 (7.6.1810)

Post by jlehtone » 2021/03/16 13:41:57

mania wrote:
2021/03/16 11:05:27
thank for your reply. I sounds a blank page. is not it?
It is not a blank page for me. Check your browser.
Red Hat wrote:Statement
This issue doesn't affected any versions of OpenSSH packaged and shipped with Red Hat Enterprise Linux 6, 7 and 8. The issue was introduced in OpenSSH 8.2 while the most recent OpenSSH version available for Red Hat Enterprise Linux 8 is based on OpenSSH 8.0.

User avatar
TrevorH
Site Admin
Posts: 33191
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: CVE-202128041 Vulnerability in Cents7 (7.6.1810)

Post by TrevorH » 2021/03/16 15:33:43

Is it possible to install openssh 8.5 without internet access?
No - because we do not ship openssh 8, the copy of openssh shipped with CentOS 7 is openssh-server-7.4p1-21.el7.x86_64 and will most likely never get updated to an 8.x version.
I think it does not talk about even supported version.
I am telling you that CentOS 7.6 is unsupported. It gets no updates other than "update to 7.9 which is the latest version".

If you look at the page that jlehtone pointed you to, it clearly says that no version of CentOS ships a copy of openssh that is vulnerable to this flaw.
This issue doesn't affected any versions of OpenSSH packaged and shipped with Red Hat Enterprise Linux 6, 7 and 8. The issue was introduced in OpenSSH 8.2 while the most recent OpenSSH version available for Red Hat Enterprise Linux 8 is based on OpenSSH 8.0.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

mania
Posts: 49
Joined: 2020/12/19 05:55:37

Re: CVE-202128041 Vulnerability in Cents7 (7.6.1810)

Post by mania » 2021/03/18 11:01:12

Hi,
First of all, thanks for your reply. second, I found below sentence a little confusing. What is previous versions? it means Redhat versions before Red Hat Enterprise Linux 6? or before openssh8.0?


Unless explicitly stated as not affected, all previous versions of packages in any minor update stream of a product listed here should be assumed vulnerable, although may not have been subject to full analysis.

User avatar
TrevorH
Site Admin
Posts: 33191
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: CVE-202128041 Vulnerability in Cents7 (7.6.1810)

Post by TrevorH » 2021/03/18 11:13:12

Well since the RH page explicitly does say that all versions of openssh shipped with all versions of RHEL are unaffected...
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

Post Reply