-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 19 Dec 2023 14:51:56 +0000 Source: openssh Binary: openssh-client openssh-client-dbgsym openssh-client-udeb openssh-server openssh-server-dbgsym openssh-server-udeb openssh-sftp-server openssh-sftp-server-dbgsym openssh-tests openssh-tests-dbgsym ssh-askpass-gnome ssh-askpass-gnome-dbgsym Architecture: amd64 Version: 1:9.2p1-2+deb12u2 Distribution: bookworm-security Urgency: medium Maintainer: amd64 Build Daemon (x86-grnet-01) Changed-By: Colin Watson Description: openssh-client - secure shell (SSH) client, for secure access to remote machines openssh-client-udeb - secure shell client for the Debian installer (udeb) openssh-server - secure shell (SSH) server, for secure access from remote machines openssh-server-udeb - secure shell server for the Debian installer (udeb) openssh-sftp-server - secure shell (SSH) sftp server module, for SFTP access from remot openssh-tests - OpenSSH regression tests ssh-askpass-gnome - interactive X program to prompt users for a passphrase for ssh-ad Closes: 1033166 Changes: openssh (1:9.2p1-2+deb12u2) bookworm-security; urgency=medium . * Cherry-pick from upstream: - [CVE-2023-28531] ssh-add(1): when adding smartcard keys to ssh-agent(1) with the per-hop destination constraints (ssh-add -h ...) added in OpenSSH 8.9, a logic error prevented the constraints from being communicated to the agent. This resulted in the keys being added without constraints. The common cases of non-smartcard keys and keys without destination constraints are unaffected. This problem was reported by Luci Stanescu (closes: #1033166). - [CVE-2023-48795] ssh(1), sshd(8): implement protocol extensions to thwart the so-called "Terrapin attack" discovered by Fabian Bäumer, Marcus Brinkmann and Jörg Schwenk. This attack allows a MITM to effect a limited break of the integrity of the early encrypted SSH transport protocol by sending extra messages prior to the commencement of encryption, and deleting an equal number of consecutive messages immediately after encryption starts. A peer SSH client/server would not be able to detect that messages were deleted. - [CVE-2023-51384] ssh-agent(1): when adding PKCS#11-hosted private keys while specifying destination constraints, if the PKCS#11 token returned multiple keys then only the first key had the constraints applied. Use of regular private keys, FIDO tokens and unconstrained keys are unaffected. - [CVE-2023-51385] ssh(1): if an invalid user or hostname that contained shell metacharacters was passed to ssh(1), and a ProxyCommand, LocalCommand directive or "match exec" predicate referenced the user or hostname via %u, %h or similar expansion token, then an attacker who could supply arbitrary user/hostnames to ssh(1) could potentially perform command injection depending on what quoting was present in the user-supplied ssh_config(5) directive. ssh(1) now bans most shell metacharacters from user and hostnames supplied via the command-line. Checksums-Sha1: 687c857a7741ae0570a290b9edfb2712103b51d5 3810948 openssh-client-dbgsym_9.2p1-2+deb12u2_amd64.deb 74dfe403d4b337705fdd9a153ba77bafd4ee5e6b 377916 openssh-client-udeb_9.2p1-2+deb12u2_amd64.udeb 77fd1b131f90b81e35c48efb1a5baf5e6a5c63e3 989620 openssh-client_9.2p1-2+deb12u2_amd64.deb 432b70823dac1acc7210197aa47ec3169b299515 940192 openssh-server-dbgsym_9.2p1-2+deb12u2_amd64.deb b0e588a9d3e325d6904b21d4f9dd912bb7db10f0 392956 openssh-server-udeb_9.2p1-2+deb12u2_amd64.udeb 64ffeeb1a6739f59161c0bf05ed847a845e9f576 456120 openssh-server_9.2p1-2+deb12u2_amd64.deb c74ee1d7f504c91a56ed9e6533d47e86efbb3bbc 165440 openssh-sftp-server-dbgsym_9.2p1-2+deb12u2_amd64.deb 8796684bb76949b071b040a4ed26067126b4b7ce 66028 openssh-sftp-server_9.2p1-2+deb12u2_amd64.deb 52cc8cb4996653231682fd536ace85093ce1437e 2963272 openssh-tests-dbgsym_9.2p1-2+deb12u2_amd64.deb b9922b22d539b4c5a331ec3835319d0d5a8feca0 1046840 openssh-tests_9.2p1-2+deb12u2_amd64.deb 23b16656094e08234c59607eeab064a568d4b061 18506 openssh_9.2p1-2+deb12u2_amd64-buildd.buildinfo fabee7c1521e4bf931976816e8dda37c14b91d7c 17000 ssh-askpass-gnome-dbgsym_9.2p1-2+deb12u2_amd64.deb 524c87ccc39f6f8f41a392219231cb1aa0106289 187500 ssh-askpass-gnome_9.2p1-2+deb12u2_amd64.deb Checksums-Sha256: 9980d9b139e251f668ba318cb2771510eae8e524f07d3929e3ca9ab8a064156d 3810948 openssh-client-dbgsym_9.2p1-2+deb12u2_amd64.deb b98c993eb95ca0d3aa213c1fa0898796fa74ea87f0ffeac563beb1f9c909487c 377916 openssh-client-udeb_9.2p1-2+deb12u2_amd64.udeb 17fc3fb0897b9d26f779d60d056d9a1ce68af50208118c4277cf18a0496f36a8 989620 openssh-client_9.2p1-2+deb12u2_amd64.deb ae01bf1208aeab2b334469d3687345c281fae309df0beacd66cc72877fe948db 940192 openssh-server-dbgsym_9.2p1-2+deb12u2_amd64.deb 3b497d9e2cbe658ca8ff714fdaecd6091f0c933eb49150c5deef94a7ceb9b659 392956 openssh-server-udeb_9.2p1-2+deb12u2_amd64.udeb b923ffe6b52077d12d4572dd1bebbd88307441411e8464e6baf556ea7bd95c0e 456120 openssh-server_9.2p1-2+deb12u2_amd64.deb 70b3fecfe03a2d8c355e406819409fd129abe9ba63d1eaef824ebdfe0d02370d 165440 openssh-sftp-server-dbgsym_9.2p1-2+deb12u2_amd64.deb 32c543d4cc265378b9701712d8e71f02a49875009cf0b96d0289a3987d4bf8c2 66028 openssh-sftp-server_9.2p1-2+deb12u2_amd64.deb 3fffa2a98ba6999f15a902872462d4ebe9a633dee1acc18bbb594ed812b215fa 2963272 openssh-tests-dbgsym_9.2p1-2+deb12u2_amd64.deb f94b0e7212e8454c6f57957cc983be72a6d56455899afeaec87be5ed7ef40a5b 1046840 openssh-tests_9.2p1-2+deb12u2_amd64.deb 4c8bcef5f7377ff7eb67d695655de157cdde9d8a8fb5ed57a6557c8136e61f30 18506 openssh_9.2p1-2+deb12u2_amd64-buildd.buildinfo 60c50a3e403863507ca0ad42450c335f41c9b991f0b97b0d686527f372b1ce4c 17000 ssh-askpass-gnome-dbgsym_9.2p1-2+deb12u2_amd64.deb c806c5838d29f88cf9c76ab8e140dec08f5aa9a5c96f634519283f9f53ec1f3b 187500 ssh-askpass-gnome_9.2p1-2+deb12u2_amd64.deb Files: ccd18c3c94568c86bff28e5dc4ca0beb 3810948 debug optional openssh-client-dbgsym_9.2p1-2+deb12u2_amd64.deb 7bfbfb2effc478e0229cae8118dbfcf7 377916 debian-installer optional openssh-client-udeb_9.2p1-2+deb12u2_amd64.udeb 474b12508ea57859e86b30d8c6b426fc 989620 net standard openssh-client_9.2p1-2+deb12u2_amd64.deb 31ec1ad853d1103eb5c3b7ba704c5552 940192 debug optional openssh-server-dbgsym_9.2p1-2+deb12u2_amd64.deb ee0fa078d2677ad94e98a5a9ebbbde85 392956 debian-installer optional openssh-server-udeb_9.2p1-2+deb12u2_amd64.udeb f0930c1b2118e1f0a3c541aa71ac591a 456120 net optional openssh-server_9.2p1-2+deb12u2_amd64.deb f07748e47969d28cb7d51623bad9630a 165440 debug optional openssh-sftp-server-dbgsym_9.2p1-2+deb12u2_amd64.deb 05ad2e2db45fc2eec521f3c3a29722e4 66028 net optional openssh-sftp-server_9.2p1-2+deb12u2_amd64.deb fd46014ac898b3b4578dd3c6dad53b04 2963272 debug optional openssh-tests-dbgsym_9.2p1-2+deb12u2_amd64.deb c8692cd6515d3ca3572c142a680591f6 1046840 net optional openssh-tests_9.2p1-2+deb12u2_amd64.deb 37d0456d32505042ba432b7020554056 18506 net standard openssh_9.2p1-2+deb12u2_amd64-buildd.buildinfo 747a5fc93e4b03ca75f5c9b0c5adcb8d 17000 debug optional ssh-askpass-gnome-dbgsym_9.2p1-2+deb12u2_amd64.deb 83e8fb0f3647dab1eb223b413d735fd6 187500 gnome optional ssh-askpass-gnome_9.2p1-2+deb12u2_amd64.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEqYm4ZPyuLwhx8Meo2VckltclZ4AFAmWBv8sACgkQ2Vckltcl Z4As9RAArD9fX68fPwwMyN2CYP51NL0n4tot0Ziw3eHU1SboVR0BDUjKvyy1Qyqf 4DR1kb82jPWL11OFbXrgU0GAz3FAG9UKrydOUjs3pesspxvjzXEjsBjfq56RBKUk DmVa9wh51vSBW8os6k5sMYyhkdTkiM84CLonq65dh1jLmIpiwOoic6HQ3nsF8zNe hjwPaQdPR+7/8yzso1s7/qrr+XBB7joBxuGceTEW8zSThbWqjddyBbZ6U+uqgO2H JPW5RHUf9P+V+T1GjoyoXQHqLFGLOTV1fwi/BpSEmpNZfOKwPxz98HagZmQFh/T4 Dr2FCs3qZY9OspsWsZtPZIT8e27EPoxxRhIMIyteZ/Nd60iIF5FcYoizPQ1PcGd7 63XOnI+HmO7l0RGv+Zjbc32k6gWG5za5DGGpmUHnVpS7LOAaBxvy4aA16/Ohr5Wd n3hEssj4ItB/AzEOXLP9ojb4pV1klhJx3jDbwGuIbIU9sWwSK2HsfQLScgXc0iI3 /Y6UrHjVxZMwUh3qoZTnIHxzdwvwtDfYak2yT3o9D/3sMnsR25s2OklrSXBbtgaW 42MwP2h/nrKPSuRxEfxxho4/ze+oqWYoFB1vQkfVd8u8XWUP5/74shZyGRsneArY 0837qj2nwm4xGQ5oMQGLcfp6dYEVIteJlsBhPim74RPDvhdo8fk= =TQpw -----END PGP SIGNATURE-----