-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 19 Dec 2023 14:51:56 +0000 Source: openssh Binary: openssh-client openssh-client-dbgsym openssh-client-udeb openssh-server openssh-server-dbgsym openssh-server-udeb openssh-sftp-server openssh-sftp-server-dbgsym openssh-tests openssh-tests-dbgsym ssh-askpass-gnome ssh-askpass-gnome-dbgsym Architecture: armel Version: 1:9.2p1-2+deb12u2 Distribution: bookworm-security Urgency: medium Maintainer: arm Build Daemon (arm-conova-02) Changed-By: Colin Watson Description: openssh-client - secure shell (SSH) client, for secure access to remote machines openssh-client-udeb - secure shell client for the Debian installer (udeb) openssh-server - secure shell (SSH) server, for secure access from remote machines openssh-server-udeb - secure shell server for the Debian installer (udeb) openssh-sftp-server - secure shell (SSH) sftp server module, for SFTP access from remot openssh-tests - OpenSSH regression tests ssh-askpass-gnome - interactive X program to prompt users for a passphrase for ssh-ad Closes: 1033166 Changes: openssh (1:9.2p1-2+deb12u2) bookworm-security; urgency=medium . * Cherry-pick from upstream: - [CVE-2023-28531] ssh-add(1): when adding smartcard keys to ssh-agent(1) with the per-hop destination constraints (ssh-add -h ...) added in OpenSSH 8.9, a logic error prevented the constraints from being communicated to the agent. This resulted in the keys being added without constraints. The common cases of non-smartcard keys and keys without destination constraints are unaffected. This problem was reported by Luci Stanescu (closes: #1033166). - [CVE-2023-48795] ssh(1), sshd(8): implement protocol extensions to thwart the so-called "Terrapin attack" discovered by Fabian Bäumer, Marcus Brinkmann and Jörg Schwenk. This attack allows a MITM to effect a limited break of the integrity of the early encrypted SSH transport protocol by sending extra messages prior to the commencement of encryption, and deleting an equal number of consecutive messages immediately after encryption starts. A peer SSH client/server would not be able to detect that messages were deleted. - [CVE-2023-51384] ssh-agent(1): when adding PKCS#11-hosted private keys while specifying destination constraints, if the PKCS#11 token returned multiple keys then only the first key had the constraints applied. Use of regular private keys, FIDO tokens and unconstrained keys are unaffected. - [CVE-2023-51385] ssh(1): if an invalid user or hostname that contained shell metacharacters was passed to ssh(1), and a ProxyCommand, LocalCommand directive or "match exec" predicate referenced the user or hostname via %u, %h or similar expansion token, then an attacker who could supply arbitrary user/hostnames to ssh(1) could potentially perform command injection depending on what quoting was present in the user-supplied ssh_config(5) directive. ssh(1) now bans most shell metacharacters from user and hostnames supplied via the command-line. Checksums-Sha1: b7c568c9036ed4cdeddcc674775436ab2d91ab41 3455200 openssh-client-dbgsym_9.2p1-2+deb12u2_armel.deb 638891a1c436f93c37a21e4634baee5740f59375 338368 openssh-client-udeb_9.2p1-2+deb12u2_armel.udeb dc258a5b7202bf959967854c5203a5b35964c882 862796 openssh-client_9.2p1-2+deb12u2_armel.deb d7d3e2875088983621359024f1858992c5b5bed7 919372 openssh-server-dbgsym_9.2p1-2+deb12u2_armel.deb 392c71b101a9ccc30ca6c0149b365af16cfd903d 351204 openssh-server-udeb_9.2p1-2+deb12u2_armel.udeb 1ef624ffb79193f55cddc1ef0876e462b40a18ff 400684 openssh-server_9.2p1-2+deb12u2_armel.deb 64c7b8cd3474b2713825ccb3a1719794d69bd166 164456 openssh-sftp-server-dbgsym_9.2p1-2+deb12u2_armel.deb 9d054f964af8fb7ef0c3774f818065a04ebe6ad6 56860 openssh-sftp-server_9.2p1-2+deb12u2_armel.deb 08cbf9890bc813fee306c0b3ef2e557d2a9fb45e 2710952 openssh-tests-dbgsym_9.2p1-2+deb12u2_armel.deb c33744c0a4076057aaa1a42e64b945e32336a133 924244 openssh-tests_9.2p1-2+deb12u2_armel.deb 42c7792aaf2cdc446a2fbdea62e0dbee59847b04 18300 openssh_9.2p1-2+deb12u2_armel-buildd.buildinfo bfe817f6622f7ac53b53b9fe01671b48b0b36db6 16864 ssh-askpass-gnome-dbgsym_9.2p1-2+deb12u2_armel.deb 0e864cf432e82c8cc8feb47b2c221a4714dde652 186948 ssh-askpass-gnome_9.2p1-2+deb12u2_armel.deb Checksums-Sha256: 628339c797cc788766f6dc14f406970c9664b4a10ed1734ea6d005257474ec7c 3455200 openssh-client-dbgsym_9.2p1-2+deb12u2_armel.deb 62a4b3ea28c210ff9be29df024c958bb2740e23f432f8bf6e9059ac4c1fb4144 338368 openssh-client-udeb_9.2p1-2+deb12u2_armel.udeb f7bca815ec4d235efaab2a2e12a4f046867095686697dad215a0ef1425a0138e 862796 openssh-client_9.2p1-2+deb12u2_armel.deb 8faa0a95f72162da8d8a1cd20e2530b4423059cab33f7fde7b7dcfbb3022f467 919372 openssh-server-dbgsym_9.2p1-2+deb12u2_armel.deb 7833ce23f8b8738c0d2468792d2c23e0c8309678330a3eeb1fc39f124b22215c 351204 openssh-server-udeb_9.2p1-2+deb12u2_armel.udeb 973d6723d6fcde4ce64e3a6ae79709d0f01eb98b80e5e7083cc467bb904873db 400684 openssh-server_9.2p1-2+deb12u2_armel.deb df0236ba63f42fa84d7ab7fc05a3a00c932371170d5a70896321d47407becb03 164456 openssh-sftp-server-dbgsym_9.2p1-2+deb12u2_armel.deb 1c13ec13d8c094ba00fdea318a96f2fa80137849e42503a1dba78bbb8c438ff4 56860 openssh-sftp-server_9.2p1-2+deb12u2_armel.deb 1124601cc344fe850b916bf05315ef12263b58fdd38a5fc7d3fa1141332f9f91 2710952 openssh-tests-dbgsym_9.2p1-2+deb12u2_armel.deb b4ff5c7f50043a84b9aacb8f33e1bc42ed4eb0733bf3eb0dac9457730d9798ed 924244 openssh-tests_9.2p1-2+deb12u2_armel.deb 7e0de598c7d4138c9c05399cf734527c02e31e90dfe6efbde1b838080507001b 18300 openssh_9.2p1-2+deb12u2_armel-buildd.buildinfo 1bf66982e27ec4698b55dc662d6101e6f657868c76dbe047025dd1686fd17f5e 16864 ssh-askpass-gnome-dbgsym_9.2p1-2+deb12u2_armel.deb 6493dda8b50c89e66614311c3eda6344c599fb38aae42fbb1c3658de076e78df 186948 ssh-askpass-gnome_9.2p1-2+deb12u2_armel.deb Files: 1dc103408433afcbe8e037ae206a5b70 3455200 debug optional openssh-client-dbgsym_9.2p1-2+deb12u2_armel.deb bfb89ab4aefa220c3c18e2a561dd28d5 338368 debian-installer optional openssh-client-udeb_9.2p1-2+deb12u2_armel.udeb 3e8139307a6a1952c47e98e293067c86 862796 net standard openssh-client_9.2p1-2+deb12u2_armel.deb cb25a8a6cda114127b47334a21ca7409 919372 debug optional openssh-server-dbgsym_9.2p1-2+deb12u2_armel.deb baf0a109a7279c2eb75ac8a04328bc0e 351204 debian-installer optional openssh-server-udeb_9.2p1-2+deb12u2_armel.udeb db1d3edd22d3e6b442111a7bfdb838a8 400684 net optional openssh-server_9.2p1-2+deb12u2_armel.deb 62f83d063ab21c0703a0abe0056d21b8 164456 debug optional openssh-sftp-server-dbgsym_9.2p1-2+deb12u2_armel.deb 6d028af441fab705afa2cf6527b9f647 56860 net optional openssh-sftp-server_9.2p1-2+deb12u2_armel.deb 203970da12a6c8e4487b1eb2cdd1b738 2710952 debug optional openssh-tests-dbgsym_9.2p1-2+deb12u2_armel.deb 2aebd3936bad02a7ac17b48b212e2716 924244 net optional openssh-tests_9.2p1-2+deb12u2_armel.deb 988fae81f703d6f001e3c1ad5d973b60 18300 net standard openssh_9.2p1-2+deb12u2_armel-buildd.buildinfo af46467a2e12c70af58d22de56760f1a 16864 debug optional ssh-askpass-gnome-dbgsym_9.2p1-2+deb12u2_armel.deb 7b098b685d18cdc31950608fd514f76e 186948 gnome optional ssh-askpass-gnome_9.2p1-2+deb12u2_armel.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEBv+o19JDIRm4yIQ5CeROIpkCGwcFAmWBwJMACgkQCeROIpkC GwdUuw/+PQwvBc5uo+Y96Y3MjuydxdZwsn0WZdRpaXwDgQd1PX0b1j7P/J4Jqlaa jby9LFVNV52nSXGT4iCpDrbAmEXy2wd1I5hN7u46vHP6HdudGrcJL2tr+Jo5q6n5 1bD9iO9OZhxaFzPkClqJoV6We9W+3XVJYzMGlmlqFKn4p6z3Xh3+IyqNFhJ5+mJj dsbe+rLsGYokKDpinkarXqfW3RAI/hFqiF6KOMAjGFgZ9E2LekKafykmD9WXb5HV 4x+8qufzbq+eS1d8oXnKCs5aq3ulv+5LmTi3qVdc5GPHMS67oE6zGRY5JSSvJ9a+ 0K/SySIChGLPQ8X/3lkDg2+Ka5TR99zsdZbMKK3m7PJMXUkBaMu9pzE2VnCZL0K/ DKXzwDlBP3mQN0dnL2YNSxcjBfWzqls5qi1AFI7F7sd3wbFrjB8LvrDqDGnQo6Oi 3UZrg2ySIX7yTF2z4nycmURs1M2nyzZGVhgOhHHasX4NfNLqj5Vb4yof7JjLz3/R gPoaKLYfMD72Ou2heKcnqIWYG7HOicui4nOdGcrD2w1F6CGdEPhu35uz2iZrZ7Z1 x3uL7NM0c2e40U5tzId8W/a29UkK2N1mTH5NyQLGaYgIi/qeRXEETjowuOWEtuBq fxXMtGn+i2QG0u4MHs3CuIUkmJ1DL7iKbaO3oganx7ergLS8iMs= =kg9a -----END PGP SIGNATURE-----