OpenSSH version upgrade

Did Sophos already release a fix for these CVEs?


CVE-2015-5600, CVE-2015-6563, CVE-2015-6564

CVE-2016-10009, CVE-2016-10010, CVE-2016-10011, CVE-2016-10012, CVE-2016-8858.


These are considered vulnerability and what was advised to us is to perform patching or upgrade for OpenSSH. However, only Sophos can do that.


Feedbacks are highly appreciated.


  • Hi Max and welcome to the UTM Community!

    2015 and 2016 vulnerabilities? I think you can assume that they were.  Even if the version of OpenSSH in use in the UTM is older, the developers prefer to patch existing code in use instead of testing new versions and hardening them.

    That said, if you see evidence that one of those CVEs seems not to have been patched, please share that here.

    Cheers - Bob

  • In reply to BAlfson:

    As far as i can tell, most of the time, some of those scans only check the used version and do a cut and assume, all of those "open" CVE are still affected.

    Instead, a valid test would be to try to use those attacks and see, if UTM is still affected. 

  • The CVE's fixed are usually listed in the release notes, so these could be searched?

  • In reply to Harro Verton:

    I just checked that Harro, and it looks like most of those CVEs were from before the Up2Date blog was started.  I looked for 2016-8858 and didn't find it either.  Then I searched in general for it and found that OpenSSH doesn't consider the CVE correct and did nothing about it.  As MBP said, most of those scanners are blunt knives, not honed, surgical steel. ;-)

    Cheers - Bob