CVE-2021-41617 in Ubuntu Jammy needed

Dimitar Kapashikov

5/31/24, 11:33 AM

Dear Ubuntu Community,

I have a question regarding CVE-2021-41617 , On https://ubuntu.com/security/CVE-2021-41617 I can see that a fix for Ubuntu Jammy is needed , but in the changelog https://launchpad.net/ubuntu/jammy/+source/openssh/+changelog I can see that CVE-2021-41617 is fixed. Also the security scanners found Ubuntu Jammy vulnerable to the mentioned CVE. Do anyone know why it is still reported for Jammy am I missing something?

Thanks in advance

1 + 2

22.04

Artur Meinild

5/31/24, 11:37 AM

It seems someone forgot to update the Ubuntu security site, as it seems fixed. I'd trust the changenotes more than the CVE site in this case.

user535733

5/31/24, 12:20 PM

"security scanners" are notoriously ill-informed and prone to false results. Their output should be considered a first draft for human review.

Score:2

Ubuntu

user535733

5/31/24, 12:16 PM

The available evidence leads to the conclusion that the CVE mitigation patch was indeed applied in 2021, and that the discrepancy has a reasonable explanation.

The patch was seemingly applied at Debian, not by the Ubuntu Security Team. The reference bug number "(closes: #995130)" is a Debian bug reference, not a Launchpad bug.

Nothing wrong there -- that's a reasonable place to do the patching, and the patching was done by a developer with plenty of experience with that code and a great reputation at both Debian and Ubuntu. But it does perhaps explain why the Ubuntu tracker didn't notice.

I have pinged the Ubuntu Security Team to review and decide if any change to their tracker is needed.

+ 2

Dimitar Kapashikov

5/31/24, 1:08 PM

thank you very much for the quick resolution. I'd like to ask about this one https://ubuntu.com/security/CVE-2020-14145 , here only versions of openssh up to 8.6 are mentioned. In Jammy we have openssh 8.9 do this mean that it is not vulnerable to the mentioned CVE ?

user535733

5/31/24, 1:23 PM

Please open new Questions for separate issues. Be sure to read the engineer comments, which usually explain the issue (and resolution) better than the volunteers here can.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: CVE-2021-41617 in Ubuntu Jammy needed

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.