Hello and thanks for the bug report! To reduce the risk of regressions, we prefer to backport security fixes to our stable releases rather than bump them to an entirely new version of the openssh package. Please refer to the Ubuntu CVE Tracker for known issues affecting OpenSSH:
https://people.canonical.com/~ubuntu-security/cve/pkg/openssh.html Ubuntu 16.04 LTS does have some outstanding OpenSSH CVEs that have not yet been fixed but they're all rated low or negligible. However, I expect that we'll begin work on security updates soon. Please see the following FAQ entry for more details on our backporting policy: https://wiki.ubuntu.com/SecurityTeam/FAQ#Versions I'm going to mark this bug invalid since we're unwilling to bump to an entirely new OpenSSH version and all known CVEs are being tracked in the Ubuntu CVE Tracker. Thanks again for the report! ** Attachment removed: "SSHDConfig.txt" https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1706543/+attachment/4921533/+files/SSHDConfig.txt ** Attachment removed: "JournalErrors.txt" https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1706543/+attachment/4921530/+files/JournalErrors.txt ** Information type changed from Private Security to Public Security ** Changed in: openssh (Ubuntu) Status: New => Invalid -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1706543 Title: Upgrade to newer version (currently v7.5p1) Status in openssh package in Ubuntu: Invalid Bug description: LTS is running v7.2p2 from 01.Mar.2016. OpenSSH v7.5p1 is available since 20.Mar.2017. For v7.2 there are at least 4 known vulnerabilities: https://www.cvedetails.com/vulnerability-list/vendor_id-97/product_id-585/version_id-194112/Openbsd-Openssh-7.2.html which make the security package less secure. Please, update it for LTS at least, not just "latest" and "forthcoming". ProblemType: Bug DistroRelease: Ubuntu 16.04 Package: openssh-server 1:7.2p2-4ubuntu2.2 Uname: Linux 4.11.7-041107-lowlatency x86_64 ApportVersion: 2.20.1-0ubuntu2.10 Architecture: amd64 CurrentDesktop: KDE Date: Wed Jul 26 09:52:16 2017 SourcePackage: openssh UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1706543/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
