-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 19 Dec 2023 14:51:56 +0000 Source: openssh Binary: ssh Architecture: all Version: 1:9.2p1-2+deb12u2 Distribution: bookworm-security Urgency: medium Maintainer: all Build Daemon (x86-grnet-02) Changed-By: Colin Watson Description: ssh - secure shell client and server (metapackage) Closes: 1033166 Changes: openssh (1:9.2p1-2+deb12u2) bookworm-security; urgency=medium . * Cherry-pick from upstream: - [CVE-2023-28531] ssh-add(1): when adding smartcard keys to ssh-agent(1) with the per-hop destination constraints (ssh-add -h ...) added in OpenSSH 8.9, a logic error prevented the constraints from being communicated to the agent. This resulted in the keys being added without constraints. The common cases of non-smartcard keys and keys without destination constraints are unaffected. This problem was reported by Luci Stanescu (closes: #1033166). - [CVE-2023-48795] ssh(1), sshd(8): implement protocol extensions to thwart the so-called "Terrapin attack" discovered by Fabian Bäumer, Marcus Brinkmann and Jörg Schwenk. This attack allows a MITM to effect a limited break of the integrity of the early encrypted SSH transport protocol by sending extra messages prior to the commencement of encryption, and deleting an equal number of consecutive messages immediately after encryption starts. A peer SSH client/server would not be able to detect that messages were deleted. - [CVE-2023-51384] ssh-agent(1): when adding PKCS#11-hosted private keys while specifying destination constraints, if the PKCS#11 token returned multiple keys then only the first key had the constraints applied. Use of regular private keys, FIDO tokens and unconstrained keys are unaffected. - [CVE-2023-51385] ssh(1): if an invalid user or hostname that contained shell metacharacters was passed to ssh(1), and a ProxyCommand, LocalCommand directive or "match exec" predicate referenced the user or hostname via %u, %h or similar expansion token, then an attacker who could supply arbitrary user/hostnames to ssh(1) could potentially perform command injection depending on what quoting was present in the user-supplied ssh_config(5) directive. ssh(1) now bans most shell metacharacters from user and hostnames supplied via the command-line. Checksums-Sha1: 3c28238f5d2223610cc57ca61a02f33c2f7b1ee3 14898 openssh_9.2p1-2+deb12u2_all-buildd.buildinfo d78ed75332b859792603979ff138f7e94992b457 173984 ssh_9.2p1-2+deb12u2_all.deb Checksums-Sha256: 06d7ba565bdaa32be9507b121152307c1ecad2aece72e104e2c56c8ce4db4159 14898 openssh_9.2p1-2+deb12u2_all-buildd.buildinfo 7bc59d31f1069bbfbdbd4cfcc2e9f17104317c80c6d2b638dd68489dc86267a5 173984 ssh_9.2p1-2+deb12u2_all.deb Files: 6800cc573e95e9dbbda5582ded559c4a 14898 net standard openssh_9.2p1-2+deb12u2_all-buildd.buildinfo 2ecaba8966bbe0868d113f4361089440 173984 net optional ssh_9.2p1-2+deb12u2_all.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEzW1K1578DQd6MDTQEbLkkg2OS0oFAmWBvg4ACgkQEbLkkg2O S0rtnA/+OMVDbDUbMfJVDyCTsjkfRZK6S9etJWMlv/PVhoRTttqqXBkm+sj9aFNB SVNDiOs2qnff4gLX0on5mXFVYEYzjwkkXWodiJqmz4jKbZXZhn7JOLPHgk6+mnYq a8NFkrlN8hCY0SuoAbpDRylPHFXOK9re8zkeP9mbobXRv02qWY4yh6u/5JKCID1x oSgmUbRiCr116cTGOmB7IhmbxOTcJbXUQ3C12y1sVXfcUgMcbrQ/NkBW2fuFjwFq c6HvTlzgGKP55V3ctmrCyJlxL2Thugblnx/EsmHgfT+muVaQ+xodW6Ryx3W05C1Q KW+KJgiHyDnLMe7uo9i7Aw97LFAHXnFgGGWvk2xlKHSxqix7l7DqjMcineDI+jX+ wEW/t0HTVSi/8jwpJFnwQVSrOsFlSmpGe1h2Z4p8lvSGNOjH62vylu5qStmP4Jk6 UxRb2ksh63mVcF0pqkYyr9/cUBt5Etg2zC7lv1OifMaKneaa9YqkgfYHYyiwbm2Q uW8uGA0w5ZJDHq0jt5rtvPvc9wv08VPe0kj1M71Jkacak5HP2K6okaqpXijoBDbV Hz56NaCVmJIDRMGDb4jd9LYyzVLxCXHP+0jMUA9/x1QR4fNgGm9R1jlVLfBdojAZ j28PXje7UVmtLd0sUHk5e3LqhX2PF4RHtfm9d81dJoC3cvMDR+k= =BJFx -----END PGP SIGNATURE-----