-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 19 Dec 2023 14:51:56 +0000 Source: openssh Binary: openssh-client openssh-client-dbgsym openssh-client-udeb openssh-server openssh-server-dbgsym openssh-server-udeb openssh-sftp-server openssh-sftp-server-dbgsym openssh-tests openssh-tests-dbgsym ssh-askpass-gnome ssh-askpass-gnome-dbgsym Architecture: armhf Version: 1:9.2p1-2+deb12u2 Distribution: bookworm-security Urgency: medium Maintainer: arm Build Daemon (arm-ubc-04) Changed-By: Colin Watson Description: openssh-client - secure shell (SSH) client, for secure access to remote machines openssh-client-udeb - secure shell client for the Debian installer (udeb) openssh-server - secure shell (SSH) server, for secure access from remote machines openssh-server-udeb - secure shell server for the Debian installer (udeb) openssh-sftp-server - secure shell (SSH) sftp server module, for SFTP access from remot openssh-tests - OpenSSH regression tests ssh-askpass-gnome - interactive X program to prompt users for a passphrase for ssh-ad Closes: 1033166 Changes: openssh (1:9.2p1-2+deb12u2) bookworm-security; urgency=medium . * Cherry-pick from upstream: - [CVE-2023-28531] ssh-add(1): when adding smartcard keys to ssh-agent(1) with the per-hop destination constraints (ssh-add -h ...) added in OpenSSH 8.9, a logic error prevented the constraints from being communicated to the agent. This resulted in the keys being added without constraints. The common cases of non-smartcard keys and keys without destination constraints are unaffected. This problem was reported by Luci Stanescu (closes: #1033166). - [CVE-2023-48795] ssh(1), sshd(8): implement protocol extensions to thwart the so-called "Terrapin attack" discovered by Fabian Bäumer, Marcus Brinkmann and Jörg Schwenk. This attack allows a MITM to effect a limited break of the integrity of the early encrypted SSH transport protocol by sending extra messages prior to the commencement of encryption, and deleting an equal number of consecutive messages immediately after encryption starts. A peer SSH client/server would not be able to detect that messages were deleted. - [CVE-2023-51384] ssh-agent(1): when adding PKCS#11-hosted private keys while specifying destination constraints, if the PKCS#11 token returned multiple keys then only the first key had the constraints applied. Use of regular private keys, FIDO tokens and unconstrained keys are unaffected. - [CVE-2023-51385] ssh(1): if an invalid user or hostname that contained shell metacharacters was passed to ssh(1), and a ProxyCommand, LocalCommand directive or "match exec" predicate referenced the user or hostname via %u, %h or similar expansion token, then an attacker who could supply arbitrary user/hostnames to ssh(1) could potentially perform command injection depending on what quoting was present in the user-supplied ssh_config(5) directive. ssh(1) now bans most shell metacharacters from user and hostnames supplied via the command-line. Checksums-Sha1: d668675990f6dea1090e7bae43bd093e04f56bce 3573232 openssh-client-dbgsym_9.2p1-2+deb12u2_armhf.deb 5d14fdd239adc2f3a38352d0a6737f0afcb9c041 341844 openssh-client-udeb_9.2p1-2+deb12u2_armhf.udeb 1ab2294ad40251b0b21165f034cb0ab2cd4e0cf9 898504 openssh-client_9.2p1-2+deb12u2_armhf.deb 71bbfe1939a367138e58fe72090302246ffecb2b 946164 openssh-server-dbgsym_9.2p1-2+deb12u2_armhf.deb d3be2a8cde256bc962af044b90f6c2d541b3d345 358744 openssh-server-udeb_9.2p1-2+deb12u2_armhf.udeb 5338e87eb406df5dd11235a4ede9c8a6984a9335 417672 openssh-server_9.2p1-2+deb12u2_armhf.deb b3f7c8b7cad0af2ac888e59a0ea7d0286e83b0c8 168732 openssh-sftp-server-dbgsym_9.2p1-2+deb12u2_armhf.deb 173c184c7210e4c12c4953b0c3853d7b0cebf019 60556 openssh-sftp-server_9.2p1-2+deb12u2_armhf.deb a762f70572051a8a8950023a0bce4d93db66db5a 2807692 openssh-tests-dbgsym_9.2p1-2+deb12u2_armhf.deb 382e2a133666410b7bbdd62d2f9ad5fab4705a1c 955512 openssh-tests_9.2p1-2+deb12u2_armhf.deb 04174dfc01b16dfc5c0af49da4ff585701af2122 18302 openssh_9.2p1-2+deb12u2_armhf-buildd.buildinfo df5fdf7fdf05038d8a900a7d48b781ea43ffeb51 16976 ssh-askpass-gnome-dbgsym_9.2p1-2+deb12u2_armhf.deb bbdbe01808e76a1bba481fc31e416bd1b4de72bb 186936 ssh-askpass-gnome_9.2p1-2+deb12u2_armhf.deb Checksums-Sha256: 4995ba23129b5127ec67f69600e57af3d25c50a2cdff5bf1e9b113a84e495513 3573232 openssh-client-dbgsym_9.2p1-2+deb12u2_armhf.deb f607e066d4965c41e0cb3bf49ce489d8cc384ffc1341fe7af6cc61d6c08ada07 341844 openssh-client-udeb_9.2p1-2+deb12u2_armhf.udeb f281444c548701f0a4fd348a47337a2f33752824c8e0080bee178058f876f409 898504 openssh-client_9.2p1-2+deb12u2_armhf.deb 65b2b7b2587857d5bb1a2f69ed1171bf66799d634f5f33fe864ea5b008590440 946164 openssh-server-dbgsym_9.2p1-2+deb12u2_armhf.deb 4a90d789837ec8989205a64bf2541ed7d6c79af12ecc3bcc8f7131b079176cbf 358744 openssh-server-udeb_9.2p1-2+deb12u2_armhf.udeb c4eb04e7196129774511e962a5d121639b678b7ddda2b527651146426b0f9092 417672 openssh-server_9.2p1-2+deb12u2_armhf.deb bd2a712ee250c9c302216d8df67f79c453ba70944c17339c9a4395a30003f354 168732 openssh-sftp-server-dbgsym_9.2p1-2+deb12u2_armhf.deb 410ab58763a5a6765fa9cc0770dff39810a85eb0d89e94d894e6660ea016bc24 60556 openssh-sftp-server_9.2p1-2+deb12u2_armhf.deb 5ea5af0df49d8732f4d17a0d0f64bbb2b6ae056309e72d0b4ec15267a76f05f8 2807692 openssh-tests-dbgsym_9.2p1-2+deb12u2_armhf.deb 961cceac982c0323064d55591f3ea0db182cf48195196f9a4e6b5b95e7778bec 955512 openssh-tests_9.2p1-2+deb12u2_armhf.deb 0b7c3262af35219e84dc301c76251815f8cea5889a8c1f0f98212b3defa6a8da 18302 openssh_9.2p1-2+deb12u2_armhf-buildd.buildinfo b4b7818f2ec1f39d18b2f715685cc94c19bc28651c9a742c34658d808bdf655f 16976 ssh-askpass-gnome-dbgsym_9.2p1-2+deb12u2_armhf.deb ebe8a54b0015ca8dfbcf56db614ff24b2f8394fbc3e501bcd2becac3546735f6 186936 ssh-askpass-gnome_9.2p1-2+deb12u2_armhf.deb Files: 87fde105c1c02f3b57e0007f676ab14c 3573232 debug optional openssh-client-dbgsym_9.2p1-2+deb12u2_armhf.deb a1e1d44a3afaa178f94ce8fbb03e5c55 341844 debian-installer optional openssh-client-udeb_9.2p1-2+deb12u2_armhf.udeb f4955e6776dbf83236f0eed8b7a703c8 898504 net standard openssh-client_9.2p1-2+deb12u2_armhf.deb dcc9a761df6839b647c5de70dc593260 946164 debug optional openssh-server-dbgsym_9.2p1-2+deb12u2_armhf.deb b2734927a5efd6f0c678f2abc84052ab 358744 debian-installer optional openssh-server-udeb_9.2p1-2+deb12u2_armhf.udeb 7d5246af7b7baf6d7ed0e1aad841514a 417672 net optional openssh-server_9.2p1-2+deb12u2_armhf.deb e0154b75d693adca57dacec095c03f1f 168732 debug optional openssh-sftp-server-dbgsym_9.2p1-2+deb12u2_armhf.deb 94ef36ec3ed2cfe9647efd9cca610486 60556 net optional openssh-sftp-server_9.2p1-2+deb12u2_armhf.deb 54dd406516cfe54833f9d26d02d398c1 2807692 debug optional openssh-tests-dbgsym_9.2p1-2+deb12u2_armhf.deb 4a100167780b2368c97e15913ea7ae64 955512 net optional openssh-tests_9.2p1-2+deb12u2_armhf.deb 508520c7fef3cddd4974b76d92b2a9a6 18302 net standard openssh_9.2p1-2+deb12u2_armhf-buildd.buildinfo c4c3051d8a977f4d92abe952bbbb8d3e 16976 debug optional ssh-askpass-gnome-dbgsym_9.2p1-2+deb12u2_armhf.deb 04b441e728feee7d17e376d3be4c6a03 186936 gnome optional ssh-askpass-gnome_9.2p1-2+deb12u2_armhf.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEU5Ohx66NeEdc9V4jWTHLDRjMKsQFAmWBw9MACgkQWTHLDRjM KsQvbA//XWMhaJkR1rC7Sv6gHHA9YAfzwmHspbx2hcnPrv9YgQBAeYkdiQ5XW3sA TOQD7rkHT+D5HT6eDJGBalZLM2jj4hxrT30sVtpfpAZUrvH6gyP2N1b+4EBtYxjg lU80zTbrOUqfHs20L/BvDrlaF3n3mkNdZui1JN9Zz+D3EJeuNgAZ1/l/Knkt4afr XMWVQe9ZQlUx5n2E+zKu5/Z8+ZGPEul6RhlNWvOwpB2CwNCEEbp8PvZas+d68agi RQH5M5QP730Bttc80VH/SVUOllr3R29xHFpMYuEvH1jrsUPZv/st3LLOG2YzW3Gq KjzJTkDBCIdr6GwHNIyM5nahxMMuSOQvMWYHjI8PyaoxmjJb+01aU5coiTWC5VHh BvS5+ArHvW03cFjozos0UnuYjMORwvgEngXr1Nfs7Inn7kogjoypP9UYgIMTMUgu W88hPIkW/zpmtE+f9yfleIQQScQGODXk2vwIb/JYYbs/lrhb4y+V5NOWHlXAMKKz Ol1FgdKtnM3ST/MgIonrRbLTT/UTXD3cO/OBCVxBChvFZKRbqXpZbHjN0D6c0D8q Oc8JYqtRltdcXxcUViRW3nv5fthGOBxegxeFhLH8HsRFm/rPCqNtanVxqi5Jtig+ P28RzL7Kv2F/SHOcdw8hnplhOlUB8eaVZBLwueM+bjaP2NczINk= =bDSc -----END PGP SIGNATURE-----