-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 19 Dec 2023 14:51:56 +0000 Source: openssh Binary: openssh-client openssh-client-dbgsym openssh-client-udeb openssh-server openssh-server-dbgsym openssh-server-udeb openssh-sftp-server openssh-sftp-server-dbgsym openssh-tests openssh-tests-dbgsym ssh-askpass-gnome ssh-askpass-gnome-dbgsym Architecture: i386 Version: 1:9.2p1-2+deb12u2 Distribution: bookworm-security Urgency: medium Maintainer: amd64 / i386 Build Daemon (x86-ubc-02) Changed-By: Colin Watson Description: openssh-client - secure shell (SSH) client, for secure access to remote machines openssh-client-udeb - secure shell client for the Debian installer (udeb) openssh-server - secure shell (SSH) server, for secure access from remote machines openssh-server-udeb - secure shell server for the Debian installer (udeb) openssh-sftp-server - secure shell (SSH) sftp server module, for SFTP access from remot openssh-tests - OpenSSH regression tests ssh-askpass-gnome - interactive X program to prompt users for a passphrase for ssh-ad Closes: 1033166 Changes: openssh (1:9.2p1-2+deb12u2) bookworm-security; urgency=medium . * Cherry-pick from upstream: - [CVE-2023-28531] ssh-add(1): when adding smartcard keys to ssh-agent(1) with the per-hop destination constraints (ssh-add -h ...) added in OpenSSH 8.9, a logic error prevented the constraints from being communicated to the agent. This resulted in the keys being added without constraints. The common cases of non-smartcard keys and keys without destination constraints are unaffected. This problem was reported by Luci Stanescu (closes: #1033166). - [CVE-2023-48795] ssh(1), sshd(8): implement protocol extensions to thwart the so-called "Terrapin attack" discovered by Fabian Bäumer, Marcus Brinkmann and Jörg Schwenk. This attack allows a MITM to effect a limited break of the integrity of the early encrypted SSH transport protocol by sending extra messages prior to the commencement of encryption, and deleting an equal number of consecutive messages immediately after encryption starts. A peer SSH client/server would not be able to detect that messages were deleted. - [CVE-2023-51384] ssh-agent(1): when adding PKCS#11-hosted private keys while specifying destination constraints, if the PKCS#11 token returned multiple keys then only the first key had the constraints applied. Use of regular private keys, FIDO tokens and unconstrained keys are unaffected. - [CVE-2023-51385] ssh(1): if an invalid user or hostname that contained shell metacharacters was passed to ssh(1), and a ProxyCommand, LocalCommand directive or "match exec" predicate referenced the user or hostname via %u, %h or similar expansion token, then an attacker who could supply arbitrary user/hostnames to ssh(1) could potentially perform command injection depending on what quoting was present in the user-supplied ssh_config(5) directive. ssh(1) now bans most shell metacharacters from user and hostnames supplied via the command-line. Checksums-Sha1: 09a1119401893f177bee6e8daaac220b98628203 3155576 openssh-client-dbgsym_9.2p1-2+deb12u2_i386.deb 9f837edf92497283657380a6cfd0a9c4eb765221 353644 openssh-client-udeb_9.2p1-2+deb12u2_i386.udeb 32c56d0f68a6a9fc0d53454beae9b25dbc1bbaa9 1007308 openssh-client_9.2p1-2+deb12u2_i386.deb 22a92a7e39263998f048de9661636c16a1a9aa94 779568 openssh-server-dbgsym_9.2p1-2+deb12u2_i386.deb f6b80804212e4f98f8db8fafd16bc662ab98eeb2 369620 openssh-server-udeb_9.2p1-2+deb12u2_i386.udeb c5d30ac4b3d910e88d26a03680ca9f583ccc8a01 464716 openssh-server_9.2p1-2+deb12u2_i386.deb 729f87831647fe4bc47f495b28d563d46f99ca18 140448 openssh-sftp-server-dbgsym_9.2p1-2+deb12u2_i386.deb 8f080e737990e5255d059c8ebf516c8885caa98a 70080 openssh-sftp-server_9.2p1-2+deb12u2_i386.deb 4b431abe234df6491b2ba00afc7f3205ea49b9fc 2377788 openssh-tests-dbgsym_9.2p1-2+deb12u2_i386.deb b4520764c58512fc82d00c53921a88013ca696ac 1020924 openssh-tests_9.2p1-2+deb12u2_i386.deb 19c4ed1ca838fbc9ccb56626939576b4297e163e 18403 openssh_9.2p1-2+deb12u2_i386-buildd.buildinfo 66902b1d916569f502b17917cf1294b8e80694cb 16092 ssh-askpass-gnome-dbgsym_9.2p1-2+deb12u2_i386.deb 1fac89fbe0ba9568a418b8b47818e20e6a94b436 187600 ssh-askpass-gnome_9.2p1-2+deb12u2_i386.deb Checksums-Sha256: e1c9b46e9a17d67a6c985430d6c200993c82daf3ef2b6d539d89b109cd1d5d9a 3155576 openssh-client-dbgsym_9.2p1-2+deb12u2_i386.deb b0d58745b0919a50af0bcfb4922c08df902eea4947ecb74fdf7ba70bddc8c4a5 353644 openssh-client-udeb_9.2p1-2+deb12u2_i386.udeb 36f1d2c12bfe03d4fc2e8eb415b1f0631cd489bc2e3163225fe5e7588ac48e8a 1007308 openssh-client_9.2p1-2+deb12u2_i386.deb 05479dec4fbf89e2a7c896843838d062da5435668899851ce5b4c0684e1c0678 779568 openssh-server-dbgsym_9.2p1-2+deb12u2_i386.deb 809f645089451e3eaef524ee9b9d1c7c7dde08073c4f9277e4cce810ca9973fa 369620 openssh-server-udeb_9.2p1-2+deb12u2_i386.udeb 04e04fffa40e2ef50fa285926e5d1848dd055d035ddd1a8cbbdbd4e34c7d8d6e 464716 openssh-server_9.2p1-2+deb12u2_i386.deb 7300bcd38b7649a00ab2181af2a63b4968942f6af22e06b7a4d0579cfd19e879 140448 openssh-sftp-server-dbgsym_9.2p1-2+deb12u2_i386.deb c0081c24d684d97e898370d8b7942f9d6be649465b096d06b2b2ca2825997119 70080 openssh-sftp-server_9.2p1-2+deb12u2_i386.deb 4685bc33eda982f5bbdc6cc40822303e3dc341ab787df5cc7f3a9d5f2d1f2fb9 2377788 openssh-tests-dbgsym_9.2p1-2+deb12u2_i386.deb 7cd253b8c5cd67ae278516239fc48a38a39ec046d752c970635cc55a81ef14ba 1020924 openssh-tests_9.2p1-2+deb12u2_i386.deb 8c31ef0e9cec9b3c9923161171f43c05ccf4d4e386d01cb0b56041c0cb41773b 18403 openssh_9.2p1-2+deb12u2_i386-buildd.buildinfo 3e277d561f67524b8dd7497040d72cacf9bcb3d51c6635fcb7d3d7ccc5616205 16092 ssh-askpass-gnome-dbgsym_9.2p1-2+deb12u2_i386.deb f0a04f49af53830e4734d78270a7248cf3c83713ec81f92d1ceae178943ed596 187600 ssh-askpass-gnome_9.2p1-2+deb12u2_i386.deb Files: f6141a8ce2d06c509f5d9c58239238f0 3155576 debug optional openssh-client-dbgsym_9.2p1-2+deb12u2_i386.deb 3b347b3c79895ae27d3711854490aff1 353644 debian-installer optional openssh-client-udeb_9.2p1-2+deb12u2_i386.udeb 143acd86ac3f33e1cc0cba8341b297df 1007308 net standard openssh-client_9.2p1-2+deb12u2_i386.deb 6ef907f57f6227fc4372763aac55b3ac 779568 debug optional openssh-server-dbgsym_9.2p1-2+deb12u2_i386.deb 03bc4374f48c39ef9fcee2e2ba4c7646 369620 debian-installer optional openssh-server-udeb_9.2p1-2+deb12u2_i386.udeb 88d3a75af75cf318624096bc3da6dcec 464716 net optional openssh-server_9.2p1-2+deb12u2_i386.deb d2ebea680907c5a9c0e8e1cb527d7c52 140448 debug optional openssh-sftp-server-dbgsym_9.2p1-2+deb12u2_i386.deb 11298e1bc755c12a8444948a4afeb7c6 70080 net optional openssh-sftp-server_9.2p1-2+deb12u2_i386.deb 30735105cee048ac387b82c67a04130f 2377788 debug optional openssh-tests-dbgsym_9.2p1-2+deb12u2_i386.deb c977506580c59b02d90f788fd46e9b86 1020924 net optional openssh-tests_9.2p1-2+deb12u2_i386.deb bd8f48e9b00102f2c466e2c4fb87dd64 18403 net standard openssh_9.2p1-2+deb12u2_i386-buildd.buildinfo 13d151588a83df5177d1095b962cea2a 16092 debug optional ssh-askpass-gnome-dbgsym_9.2p1-2+deb12u2_i386.deb 0fb1d5a156adcfb52351bae974494514 187600 gnome optional ssh-askpass-gnome_9.2p1-2+deb12u2_i386.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEJyRdn7p9tGRfxctAots23/koc0EFAmWBwYYACgkQots23/ko c0HHeg//agQtIna9sIdDSl5wejTWXMZT8ntkzZ3ggHuK+BAieyLwxGTaC7c3TAOe ZrzxUxcxmLPOqT/gAcXaCWGwK87YIhJssHIos/bcvpiw/M7BnuR4nagN+5c/bA50 VUehxHYdOjLXsiF+JlzUpwqqRaecsYzgTs8rPv6nQQD18taQXdKxNFpgV8qsrGz0 mqEQKcDcXiQ8+qBI/G0ga4dkG0x/C/Y2Ghp06z//j2IDMVI9qVKg3SZvYYbpJaJO EkeAkhkcNy1ZT970jhjN54PEkbCo+8XpcIZ+3qa4BJ5PClu/Gc1N/CQccv/oAc2f KDkWvwRgI8ys8lM7M5Z1UqWRDudXIj+OIpeh3UBZidbOcBDlJGRId0BGObUsjcY9 MaINb+B7C85kAEDTII5vwpoaHkAPwYBADMxjlQHydtf2OJmvylDWdrxdZ1mR2mfO cA8OVaDmB6JLPGET+rSJINMBlqP9ssrMmZ7TgBJzEX0JzcAEc9/TIOxdPRBPz4Od e8AE5Kt7cfBlND9zIEjFQLPMxB7zMVryAdhlb5KmJreTR59xgifQ6oA8ExoqPFOh H8P1xgQdW+pdcQVL2zcgUquRXFVDn8pjLz4Ppqu4SpqzOPsH1boLGH80QUxUv4F5 UKhW8AGq5rg9djSlygRbwSRIzWVSx8kZgQ5/Lhyorcn3nq9qhJ4= =V9nm -----END PGP SIGNATURE-----