-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 19 Dec 2023 14:51:56 +0000 Source: openssh Binary: openssh-client openssh-client-dbgsym openssh-client-udeb openssh-server openssh-server-dbgsym openssh-server-udeb openssh-sftp-server openssh-sftp-server-dbgsym openssh-tests openssh-tests-dbgsym ssh-askpass-gnome ssh-askpass-gnome-dbgsym Architecture: arm64 Version: 1:9.2p1-2+deb12u2 Distribution: bookworm-security Urgency: medium Maintainer: arm Build Daemon (arm-conova-03) Changed-By: Colin Watson Description: openssh-client - secure shell (SSH) client, for secure access to remote machines openssh-client-udeb - secure shell client for the Debian installer (udeb) openssh-server - secure shell (SSH) server, for secure access from remote machines openssh-server-udeb - secure shell server for the Debian installer (udeb) openssh-sftp-server - secure shell (SSH) sftp server module, for SFTP access from remot openssh-tests - OpenSSH regression tests ssh-askpass-gnome - interactive X program to prompt users for a passphrase for ssh-ad Closes: 1033166 Changes: openssh (1:9.2p1-2+deb12u2) bookworm-security; urgency=medium . * Cherry-pick from upstream: - [CVE-2023-28531] ssh-add(1): when adding smartcard keys to ssh-agent(1) with the per-hop destination constraints (ssh-add -h ...) added in OpenSSH 8.9, a logic error prevented the constraints from being communicated to the agent. This resulted in the keys being added without constraints. The common cases of non-smartcard keys and keys without destination constraints are unaffected. This problem was reported by Luci Stanescu (closes: #1033166). - [CVE-2023-48795] ssh(1), sshd(8): implement protocol extensions to thwart the so-called "Terrapin attack" discovered by Fabian Bäumer, Marcus Brinkmann and Jörg Schwenk. This attack allows a MITM to effect a limited break of the integrity of the early encrypted SSH transport protocol by sending extra messages prior to the commencement of encryption, and deleting an equal number of consecutive messages immediately after encryption starts. A peer SSH client/server would not be able to detect that messages were deleted. - [CVE-2023-51384] ssh-agent(1): when adding PKCS#11-hosted private keys while specifying destination constraints, if the PKCS#11 token returned multiple keys then only the first key had the constraints applied. Use of regular private keys, FIDO tokens and unconstrained keys are unaffected. - [CVE-2023-51385] ssh(1): if an invalid user or hostname that contained shell metacharacters was passed to ssh(1), and a ProxyCommand, LocalCommand directive or "match exec" predicate referenced the user or hostname via %u, %h or similar expansion token, then an attacker who could supply arbitrary user/hostnames to ssh(1) could potentially perform command injection depending on what quoting was present in the user-supplied ssh_config(5) directive. ssh(1) now bans most shell metacharacters from user and hostnames supplied via the command-line. Checksums-Sha1: 591f28b3f05d369b1688091a90e1b8374e5ede85 3777036 openssh-client-dbgsym_9.2p1-2+deb12u2_arm64.deb ef3653bc3eafc8b0410a5c3b8ba244ba2b08f052 337948 openssh-client-udeb_9.2p1-2+deb12u2_arm64.udeb d5de16b48add05b49cbbf54225c9272a36787231 933484 openssh-client_9.2p1-2+deb12u2_arm64.deb ba426c2351bf5ad6f731e551c1a2abe70b8d2780 940592 openssh-server-dbgsym_9.2p1-2+deb12u2_arm64.deb d7f7025d426e839f7204ac82601f416431811102 354168 openssh-server-udeb_9.2p1-2+deb12u2_arm64.udeb 2338b0093961b24ff57484c62587b55ea23ff59e 412736 openssh-server_9.2p1-2+deb12u2_arm64.deb 4771932635f9a46ebbd4bd09852c02c744e799bc 166480 openssh-sftp-server-dbgsym_9.2p1-2+deb12u2_arm64.deb 6a4366b6ed998ae259d04a5bb00d725bf46f25d0 60672 openssh-sftp-server_9.2p1-2+deb12u2_arm64.deb 19a1076a95a6b9a41f120126f20e589464360efd 2949312 openssh-tests-dbgsym_9.2p1-2+deb12u2_arm64.deb efce1d67709802fcdc22303f56e48c6bc59c45e5 1017932 openssh-tests_9.2p1-2+deb12u2_arm64.deb 4e8264b284cb3f45bb81c0880fead737eade1f57 18429 openssh_9.2p1-2+deb12u2_arm64-buildd.buildinfo f25bdaf8575f3a86423f1586ec498f39046b97b8 17000 ssh-askpass-gnome-dbgsym_9.2p1-2+deb12u2_arm64.deb b610c1959d4717f0648d43a3caf282b3f280a43b 187336 ssh-askpass-gnome_9.2p1-2+deb12u2_arm64.deb Checksums-Sha256: 9cc0a64b7850f6630de5e7e758846945c1773f593cb02266acc6d40f55540bd9 3777036 openssh-client-dbgsym_9.2p1-2+deb12u2_arm64.deb 2f43dfe26a72c75297780087dd56f8b0654c8dd5e27f090f67de4298c2bbaf07 337948 openssh-client-udeb_9.2p1-2+deb12u2_arm64.udeb 5624adf2aa7c02b6883e325e73977ab209fb669cd5c41f98cb15a62216068f35 933484 openssh-client_9.2p1-2+deb12u2_arm64.deb d34f500f4b9fa3675bbc9f3e6c572af924b1f9e28cd08aaf2d817c5c1d259c7e 940592 openssh-server-dbgsym_9.2p1-2+deb12u2_arm64.deb e71384bcfbd9deb8d26818db67fd0f52c2197bca57e1316c9040130442986d87 354168 openssh-server-udeb_9.2p1-2+deb12u2_arm64.udeb 632ed67883d70ab4ce134e65edd526156a4c63e3557e9ee9cd4626a06bf22741 412736 openssh-server_9.2p1-2+deb12u2_arm64.deb bd618e4a822927e3e701283a0b9340c784b6f52fd03993baca0366f2cb10e7c5 166480 openssh-sftp-server-dbgsym_9.2p1-2+deb12u2_arm64.deb 302c5daed4c84d0fb569f4d25f17f8cffce46ad222a985239d001f2c12f455f7 60672 openssh-sftp-server_9.2p1-2+deb12u2_arm64.deb 155f6cf1757057231aeaf41cd38af91f1d503387ccfed64240425c4e67b3428e 2949312 openssh-tests-dbgsym_9.2p1-2+deb12u2_arm64.deb 3b17221027e4ddd1e7b09ff7f9796c0f3f7785b47e9c8cc8dac3ee69306f90e2 1017932 openssh-tests_9.2p1-2+deb12u2_arm64.deb 2f2357eb9a13435ff5e00a820b9c813aa091c56143332c2bec6ca26c2160f777 18429 openssh_9.2p1-2+deb12u2_arm64-buildd.buildinfo 1be82868425e9acf06a95d39d7f43f3c43932affa6b756ddd28a968e47229de1 17000 ssh-askpass-gnome-dbgsym_9.2p1-2+deb12u2_arm64.deb 36851c8979e9ff0cdcf92f158cd4115af4989624cdf85f1504fcc8228256cf20 187336 ssh-askpass-gnome_9.2p1-2+deb12u2_arm64.deb Files: 48372b314b4fd92ba6182407975b4096 3777036 debug optional openssh-client-dbgsym_9.2p1-2+deb12u2_arm64.deb a6e0e5ebfccc2e740c55f42d36b72050 337948 debian-installer optional openssh-client-udeb_9.2p1-2+deb12u2_arm64.udeb e75edbc81341d4a5680bc17604195e70 933484 net standard openssh-client_9.2p1-2+deb12u2_arm64.deb 49eacaf0c7be013a3ecd59ee954a9026 940592 debug optional openssh-server-dbgsym_9.2p1-2+deb12u2_arm64.deb 2774edd28202ec69b5163e0b670a0567 354168 debian-installer optional openssh-server-udeb_9.2p1-2+deb12u2_arm64.udeb 54725c53011e76dc3ec93e3d2f3cbb7a 412736 net optional openssh-server_9.2p1-2+deb12u2_arm64.deb 9d712619cca262344cd102a403ecab3d 166480 debug optional openssh-sftp-server-dbgsym_9.2p1-2+deb12u2_arm64.deb 9b823edfb8c152a5a4e2a4580e8cfe14 60672 net optional openssh-sftp-server_9.2p1-2+deb12u2_arm64.deb 191c3070e388c3a20e44c47093470494 2949312 debug optional openssh-tests-dbgsym_9.2p1-2+deb12u2_arm64.deb 5e950b0e7892a8b38e494f7923739b22 1017932 net optional openssh-tests_9.2p1-2+deb12u2_arm64.deb ca9e1f26331bda4d592c4e181c97eb39 18429 net standard openssh_9.2p1-2+deb12u2_arm64-buildd.buildinfo 86837ee240958d32f6f005ec204e26ad 17000 debug optional ssh-askpass-gnome-dbgsym_9.2p1-2+deb12u2_arm64.deb 4172593fdfd0e3bcf05a8ab7bc4a1bec 187336 gnome optional ssh-askpass-gnome_9.2p1-2+deb12u2_arm64.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEU81tY/BC8e+eAeWhLffeOnPnbLUFAmWBv/8ACgkQLffeOnPn bLW8hQ/+MWVwUM8IMMz8Hwy3VmKNBHQsvlz5Og4PTALmO6EX8taGjVBrfTO/jIsk yw6eTzU5CM4wfpOwFJI6ywKQ73gTbw5tYo4PelGYRnB8I6EDjrlDSzU2ZOTlFzBx lx2UD9WyNeCjueB8+OcsA9/O4yueQ9i7avGwQa4+eRC2cPGED+s0vuVwav44dCaC K5hE6UGFhwEpdVrEhmN8RCSAfrJnLXzyiB7RBhBOTE2UQoICg815fVTDblSsYyx+ EXM1VX6qzVagWrRB2ceyB+EvFSMc+JFbyN8X/xCa+UKlwK+oPUarIwgc/YzMBTjF wmxb3yrgGDj+l767GNDYclC31lKP1YfgW26QocnKMdM7Fh4cMQm3rXsfNs2OowE8 qE2hc5UDX/FdOazoKMKhZwHU5+5rO93MfZ8Ggwd/UhhccX/Eyyi2oUVR71QpmMhg zOD4nxHDNZClzba44ejcqSdBusq3+G/NlewSxIabWARCv9Owzi0sZ8jZdfjt0MGL 1ZFRIYvtUXOoX929bGxC5XtQCDedyf2Spgi6Nbb/N4Rou3/b0X0m5Kq2U5gOkG9g uCbL/9NVGA+rGoTmYR++rbbLFg2lOQcVqiyA+z0LoX1XAXzHVcijw/EjHaGRiikH F6M8e/aHbk/nDEr+HKf3viaxE+Z5AGzVX7OyPTcAK9bVJywZpk0= =h3DF -----END PGP SIGNATURE-----