From 8d9a1bdfb3e6f65b8ceaf7bb37452e7941ff30ad Mon Sep 17 00:00:00 2001
From: Burak Velioglu <velioglub@ubicloud.com>
Date: Thu, 4 Jul 2024 19:02:38 +0300
Subject: [PATCH] [ubicloud] Update OpenSSH version due to vulnerability

Vulnerability link: https://ubuntu.com/security/CVE-2024-6387
---
 images/ubuntu/templates/ubuntu-22.04.arm64.pkr.hcl | 6 ++++++
 images/ubuntu/templates/ubuntu-22.04.gpu.pkr.hcl   | 6 ++++++
 images/ubuntu/templates/ubuntu-22.04.pkr.hcl       | 6 ++++++
 3 files changed, 18 insertions(+)

diff --git a/images/ubuntu/templates/ubuntu-22.04.arm64.pkr.hcl b/images/ubuntu/templates/ubuntu-22.04.arm64.pkr.hcl
index 4a1b25a8a2a7..3ae97459c26b 100644
--- a/images/ubuntu/templates/ubuntu-22.04.arm64.pkr.hcl
+++ b/images/ubuntu/templates/ubuntu-22.04.arm64.pkr.hcl
@@ -359,6 +359,12 @@ build {
     scripts          = ["${path.root}/../scripts/ubicloud/setup-runner-user.sh"]
   }
 
+  // Update OpenSSH (https://ubuntu.com/security/CVE-2024-6387)
+  provisioner "shell" {
+    execute_command = "sudo sh -c '{{ .Vars }} {{ .Path }}'"
+    inline          = ["sudo apt-get update -qq && sudo apt -qq -y satisfy 'openssh-server (>= 1:8.9p1-3ubuntu0.10)'"]
+  }
+
   // It's Hyper-V Key Value Pair daemon, which is not needed in Ubicloud
   // It blocks booting the VM if it's not disabled
   provisioner "shell" {
diff --git a/images/ubuntu/templates/ubuntu-22.04.gpu.pkr.hcl b/images/ubuntu/templates/ubuntu-22.04.gpu.pkr.hcl
index 25f8211fca1f..87c3165af8e3 100644
--- a/images/ubuntu/templates/ubuntu-22.04.gpu.pkr.hcl
+++ b/images/ubuntu/templates/ubuntu-22.04.gpu.pkr.hcl
@@ -378,6 +378,12 @@ build {
     inline          = ["sleep 30"]
   }
 
+  // Update OpenSSH (https://ubuntu.com/security/CVE-2024-6387)
+  provisioner "shell" {
+    execute_command = "sudo sh -c '{{ .Vars }} {{ .Path }}'"
+    inline          = ["sudo apt-get update -qq && sudo apt -qq -y satisfy 'openssh-server (>= 1:8.9p1-3ubuntu0.10)'"]
+  }
+
   // It's Hyper-V Key Value Pair daemon, which is not needed in Ubicloud
   // It blocks booting the VM if it's not disabled
   provisioner "shell" {
diff --git a/images/ubuntu/templates/ubuntu-22.04.pkr.hcl b/images/ubuntu/templates/ubuntu-22.04.pkr.hcl
index 8a6946d1fac6..b5ec2986bf37 100644
--- a/images/ubuntu/templates/ubuntu-22.04.pkr.hcl
+++ b/images/ubuntu/templates/ubuntu-22.04.pkr.hcl
@@ -433,6 +433,12 @@ build {
     scripts          = ["${path.root}/../scripts/ubicloud/setup-runner-user.sh"]
   }
 
+  // Update OpenSSH (https://ubuntu.com/security/CVE-2024-6387)
+  provisioner "shell" {
+    execute_command = "sudo sh -c '{{ .Vars }} {{ .Path }}'"
+    inline          = ["sudo apt-get update -qq && sudo apt -qq -y satisfy 'openssh-server (>= 1:8.9p1-3ubuntu0.10)'"]
+  }
+
   // It's Hyper-V Key Value Pair daemon, which is not needed in Ubicloud
   // It blocks booting the VM if it's not disabled
   provisioner "shell" {