Newbie Question - How to install openssh 1:7.2p2-3

Asked by Jon on 2016-06-30

I already have openssh 7.2p2 installed, but need to figure out how to install the debian patch of:
openssh (1:7.2p2-3) unstable; urgency=high

This is required to pass vulnerability scanning. Please help!

Question information

Language:
English Edit question
Status:
Solved
For:
Ubuntu openssh Edit question
Assignee:
No assignee Edit question
Solved by:
Jon
Solved:
2016-07-05
Last query:
2016-07-05
Last reply:
2016-07-02

I suggest you report a bug. Mark it as a security bug

Jon (w-jon-f) said : #2

I'm not sure how that helps - I haven't even tried to install 7.2p2-3 yet. I only have the base 7.2p2 installed. How do I get and install the update to 7.2p2-3?

Manfred Hampl (m-hampl) said : #3

For diagnostic purposes please provide the output of the following commands (to be executed in a terminal window):

uname -a
lsb_release -crid
dpkg -l | grep openssl
apt-cache policy openssl

Manfred Hampl (m-hampl) said : #4

Oops. typo error, the commands should have been

uname -a
lsb_release -crid
dpkg -l | grep openssh
apt-cache policy openssh-client

Jon (w-jon-f) said : #5

Hi Manfred,

Here is the output that you requested, plus the output of "ssh -V":

root@localhost:~# ssh -V
OpenSSH_7.2p2, OpenSSL 1.0.2h 3 May 2016

root@localhost:~# uname -a
Linux localhost 3.13.0-37-generic #64~precise1-Ubuntu SMP Wed Sep 24 21:37:11 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux

root@localhost:~# lsb_release -crid
/usr/bin/python: /usr/local/lib/libcrypto.so.1.0.0: no version information available (required by /usr/bin/python)
/usr/bin/python: /usr/local/lib/libssl.so.1.0.0: no version information available (required by /usr/bin/python)
Distributor ID: Ubuntu
Description: Ubuntu 12.04.5 LTS
Release: 12.04
Codename: precise

root@localhost:~# dpkg -l | grep openssh
ii openssh-client 1:5.9p1-5ubuntu1.9 secure shell (SSH) client, for secure access to remote machines
ii openssh-server 1:5.9p1-5ubuntu1.9 secure shell (SSH) server, for secure access from remote machines

root@localhost:~# apt-cache policy openssh-client
openssh-client:
  Installed: 1:5.9p1-5ubuntu1.9
  Candidate: 1:5.9p1-5ubuntu1.9
  Version table:
 *** 1:5.9p1-5ubuntu1.9 0
        500 http://us.archive.ubuntu.com/ubuntu/ precise-updates/main amd64 Packages
        500 http://security.ubuntu.com/ubuntu/ precise-security/main amd64 Packages
        100 /var/lib/dpkg/status
     1:5.9p1-5ubuntu1 0
        500 http://us.archive.ubuntu.com/ubuntu/ precise/main amd64 Packages

Manfred Hampl (m-hampl) said : #6

Apparently you have installed openssh 7.2p2 from some foreign source, on top of the standard 1:5.9p1-5ubuntu1.9 version from the Ubuntu repositories.

It seems that mixing program versions from different sources has now created problems in your system (e.g. see the error messages from lsb_release -crid). It might be wise to get that problem resolved first.

From which source did you take that 7-2p2 version?
Are there any instruction how to install an even higher version (7-2p2-3 or higher)?

Jon (w-jon-f) said : #7

I did install it directly from OpenSSL and OpenSSH. I have now reverted back to the previous state (VM snapshot) to start again from where I began.

However, when I do an apt-get update and subsequent apt-get upgrade, there are no updates to openssl or openssh. Output below:

root@localhost:~# ssh -V
OpenSSH_5.9p1 Debian-5ubuntu1.9, OpenSSL 1.0.1 14 Mar 2012

root@localhost:~# uname -a
Linux localhost 3.13.0-37-generic #64~precise1-Ubuntu SMP Wed Sep 24 21:37:11 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux

root@localhost:~# lsb_release -crid
Distributor ID: Ubuntu
Description: Ubuntu 12.04.5 LTS
Release: 12.04
Codename: precise

root@localhost:~# dpkg -l | grep openssh
ii openssh-client 1:5.9p1-5ubuntu1.9 secure shell (SSH) client, for secure access to remote machines
ii openssh-server 1:5.9p1-5ubuntu1.9 secure shell (SSH) server, for secure access from remote machines

root@localhost:~# apt-cache policy openssh-client
openssh-client:
  Installed: 1:5.9p1-5ubuntu1.9
  Candidate: 1:5.9p1-5ubuntu1.9
  Version table:
 *** 1:5.9p1-5ubuntu1.9 0
        500 http://us.archive.ubuntu.com/ubuntu/ precise-updates/main amd64 Packages
        500 http://security.ubuntu.com/ubuntu/ precise-security/main amd64 Packages
        100 /var/lib/dpkg/status
     1:5.9p1-5ubuntu1 0
        500 http://us.archive.ubuntu.com/ubuntu/ precise/main amd64 Packages

root@localhost:~# apt-get upgrade
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages have been kept back:
  landscape-common linux-headers-generic-lts-saucy linux-headers-generic-lts-trusty linux-image-generic-lts-saucy linux-image-generic-lts-trusty
  xe-guest-utilities
0 upgraded, 0 newly installed, 0 to remove and 6 not upgraded.

root@localhost:~# apt-get install openssh-server openssh-client
Reading package lists... Done
Building dependency tree
Reading state information... Done
openssh-client is already the newest version.
openssh-server is already the newest version.
0 upgraded, 0 newly installed, 0 to remove and 6 not upgraded.

Jon (w-jon-f) said : #8

The other thing that I noticed was that apt-get was holding some packages back. I'm not sure if it's important, but I also see that it references amd64, but the VM is running on Citrix Xenserver 6.5 sp1 on Intel CPUs.

Manfred Hampl (m-hampl) said : #9

1. If you look at https://launchpad.net/ubuntu/+source/openssh you will see that for Ubuntu precise (12.04) the highest version provided in the official Ubuntu repositories is 1:5.9p1-5ubuntu1.9
There are some PPAs providing higher versions, but in a quick browse I did not see anything higher than 1:6.6 or something like that.

The development version Ubuntu 16.10 (to be published in October) currently has 1:7.2p2-5
But this version cannot be easily installed on precise due to unsatisfied dependencies to other packages.

If you want to have 1:7.2p2-3 then you most probably have to compile that from the original source.

2. For the apt-get update command

What is the output of
sudo apt-get dist-upgrade
?

The architecture of your VM is 64 bit. This is referred to with the names x86_64 and amd64 (even if it is not an amd, but an intel CPU)

Jon (w-jon-f) said : #10

Output of apt-get dist-upgrade is at the bottom. Should I do a dist-upgrade or do-release-upgrade to get to 14.04? I actually did that and still could not get OpenSSH up to 7.2p2-3.

Is there any way that I can re-do what I had previously done (install direct from OpenSSL and OpenSSH) and overcome the python warning message about libcrypto?

/usr/bin/python: /usr/local/lib/libcrypto.so.1.0.0: no version information available (required by /usr/bin/python)
/usr/bin/python: /usr/local/lib/libssl.so.1.0.0: no version information available (required by /usr/bin/python)

apt-get dist-upgrade output:
---------------------------------------------------------------------
root@localhost:~# sudo apt-get dist-upgrade
Reading package lists... Done
Building dependency tree
Reading state information... Done
Calculating upgrade... Done
The following NEW packages will be installed:
  libxenstore3.0 linux-headers-3.11.0-26 linux-headers-3.11.0-26-generic linux-headers-3.13.0-91 linux-headers-3.13.0-91-generic
  linux-image-3.11.0-26-generic linux-image-3.13.0-91-generic python-configobj xenstore-utils
The following packages will be upgraded:
  landscape-common linux-headers-generic-lts-saucy linux-headers-generic-lts-trusty linux-image-generic-lts-saucy linux-image-generic-lts-trusty
  xe-guest-utilities
6 upgraded, 9 newly installed, 0 to remove and 0 not upgraded.
Need to get 138 MB of archives.
After this operation, 555 MB of additional disk space will be used.

Manfred Hampl (m-hampl) said : #11

1. There is a difference between apt-get upgrade and apt-get dist-upgrade.
apt-get upgrade will only do version upgrades that do not require additions or deletions. If changed dependencies of the new package version require additions or deletion of other packages, these updates will be kept back.
To do such upgrade, you have to use apt-get dist-upgrade.

2. What is the purpose of this system? Do you have the need for a specific Ubuntu release? Is there a reason for running 12.04, or could you use Ubuntu 16.04 without problems?
Ubuntu 16.04 would provide openssh 1:7.2p2-4ubuntu1

3. Apparently the Ubuntu package and your self-installed packages put certain libraries into different directories. /usr/local/lib/libcrypto.so.1.0.0 versus /lib/x86_64-linux-gnu/libcrypto.so.1.0.0
It very much depends on the original source, what you can do about that.

Jon (w-jon-f) said : #12

We have several 12.04 servers used for different purposes (separation of duties) for compliance reasons. For some, I don't see why we couldn't upgrade to 16.04. Can I do an upgrade directly to 16.04, or do I have to upgrade to 14.04, then to 16.04?

Manfred Hampl (m-hampl) said : #13

The upgrades from one release to the next one and from one LTS to the next LTS release are well tested and usually work without problems. If you want to skip release(s) during an upgrade, you are leaving the recommended path and do that on your own risk. There are reports from people telling that the got perfect results, but in some cases such upgrade or the upgraded system did not work as expected. It is not possible to predict the results.

One remark: The offer to upgrade from 14.04 to 16.04 will only be shown when the sub-release 16.04.1 is published, this is scheduled for July 21, 2016. There is the possibility for a manual upgrade even before that date.

I do not know your environment and the requirements for your systems, so I am not able to recommend what you should do. This is something you have to decide yourself.

Maybe you should start with a test installation of 16.04 to verify whether you applications are still well functioning with the new OS release.

Jon (w-jon-f) said : #14

Thank you for your help. While I still have the issue, I think that the information provided here will get me where I need to go.