docker image gitlab-ce:17.6.0-ce.0，OpenSSH_8.9p1 version is too low and has high-risk vulnerabilities

[hellozrh]

docker image:

docker pull gitlab/gitlab-ce:latest

or

docker pull gitlab/gitlab-ce:17.6.0-ce.0

docker exec gitlab-ce-demo ssh -V
OpenSSH_8.9p1 Ubuntu-3ubuntu0.10, OpenSSL 3.0.2 15 Mar 2022

The latest version of OpenSSH is OpenSSH_9.8p1, please upgrade to the latest version.

[kkimurak]

This is a repository for sameersbn/gitlab, not gitlab/gitlab-ce. Please report it on https://gitlab.com/gitlab-org/omnibus-gitlab

[kkimurak]

Also note that it is difficult to determine whether there is a vulnerability just by the version number (here, 8.9p1 or 9.8p1) because each Linux distribution may distribute a version with security patches applied at their own discretion.

Full version string of openssh-server package for ubuntu is "8.9p1-3ubuntu0.10" etc. It can be checked by executing apt --list *ssh* for example.

The version 8.9p1-3ubuntu0.10 is last updated on 2024-06-27. The release notes include the following comment, confirming that the recent vulnerability (CVE-2024-6387) has been addressed.
https://launchpad.net/ubuntu/+source/openssh/1:8.9p1-3ubuntu0.10

 * SECURITY UPDATE: remote code execution via signal handler race
    condition (LP: #2070497)
    - debian/patches/CVE-2024-6387.patch: don't log in sshsigdie() in log.c.
    -CVE-2024-6387

---

By the way, sameersbn/gitlab:latest (sameersbn/gitlab:17.5.2, at least now) is built based on ubuntu:focal and shipped with openssh-*/now 1:8.2p1-4ubuntu0.11 that is released on 2024-01-02.

I think it's better to upgrade base image to ubuntu:jammy which provides openssh-*/now 1:8.9p1-3ubuntu0.10. I am aware that some fixes are required, including changes to the package source repository. I'm currently working on it.
However, there is an issue where the CI release process is forced to terminate due to timeout. So it may take some time to be fixed.

[hellozrh]

This is a repository for sameersbn/gitlab, not gitlab/gitlab-ce. Please report it on https://gitlab.com/gitlab-org/omnibus-gitlab

I see. Thanks for the reminder.

[hellozrh]

Also note that it is difficult to determine whether there is a vulnerability just by the version number (here, 8.9p1 or 9.8p1) because each Linux distribution may distribute a version with security patches applied at their own discretion.

Full version string of openssh-server package for ubuntu is "8.9p1-3ubuntu0.10" etc. It can be checked by executing apt --list *ssh* for example.

The version 8.9p1-3ubuntu0.10 is last updated on 2024-06-27. The release notes include the following comment, confirming that the recent vulnerability (CVE-2024-6387) has been addressed. https://launchpad.net/ubuntu/+source/openssh/1:8.9p1-3ubuntu0.10

 * SECURITY UPDATE: remote code execution via signal handler race
    condition (LP: #2070497)
    - debian/patches/CVE-2024-6387.patch: don't log in sshsigdie() in log.c.
    -CVE-2024-6387

By the way, sameersbn/gitlab:latest (sameersbn/gitlab:17.5.2, at least now) is built based on ubuntu:focal and shipped with openssh-*/now 1:8.2p1-4ubuntu0.11 that is released on 2024-01-02.

I think it's better to upgrade base image to ubuntu:jammy which provides openssh-*/now 1:8.9p1-3ubuntu0.10. I am aware that some fixes are required, including changes to the package source repository. I'm currently working on it. However, there is an issue where the CI release process is forced to terminate due to timeout. So it may take some time to be fixed.

You can close this issue if you don't need this.

[hellozrh]

I went to https://launchpad.net/ubuntu/+source/openssh and found that version 8.9p1-3ubuntu0.10 did fix the vulnerability CVE-2024-6387, and another vulnerability CVE-2024-39894 in the later version only affects OpenSSH versions between 9.5 and 9.8. Therefore, it seems that this version 8.9p1-3ubuntu0.10 is safe.