-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 19 Dec 2023 14:51:56 +0000 Source: openssh Binary: openssh-client openssh-client-dbgsym openssh-client-udeb openssh-server openssh-server-dbgsym openssh-server-udeb openssh-sftp-server openssh-sftp-server-dbgsym openssh-tests openssh-tests-dbgsym ssh-askpass-gnome ssh-askpass-gnome-dbgsym Architecture: mips64el Version: 1:9.2p1-2+deb12u2 Distribution: bookworm-security Urgency: medium Maintainer: mips64el Build Daemon (mipsel-osuosl-01) Changed-By: Colin Watson Description: openssh-client - secure shell (SSH) client, for secure access to remote machines openssh-client-udeb - secure shell client for the Debian installer (udeb) openssh-server - secure shell (SSH) server, for secure access from remote machines openssh-server-udeb - secure shell server for the Debian installer (udeb) openssh-sftp-server - secure shell (SSH) sftp server module, for SFTP access from remot openssh-tests - OpenSSH regression tests ssh-askpass-gnome - interactive X program to prompt users for a passphrase for ssh-ad Closes: 1033166 Changes: openssh (1:9.2p1-2+deb12u2) bookworm-security; urgency=medium . * Cherry-pick from upstream: - [CVE-2023-28531] ssh-add(1): when adding smartcard keys to ssh-agent(1) with the per-hop destination constraints (ssh-add -h ...) added in OpenSSH 8.9, a logic error prevented the constraints from being communicated to the agent. This resulted in the keys being added without constraints. The common cases of non-smartcard keys and keys without destination constraints are unaffected. This problem was reported by Luci Stanescu (closes: #1033166). - [CVE-2023-48795] ssh(1), sshd(8): implement protocol extensions to thwart the so-called "Terrapin attack" discovered by Fabian Bäumer, Marcus Brinkmann and Jörg Schwenk. This attack allows a MITM to effect a limited break of the integrity of the early encrypted SSH transport protocol by sending extra messages prior to the commencement of encryption, and deleting an equal number of consecutive messages immediately after encryption starts. A peer SSH client/server would not be able to detect that messages were deleted. - [CVE-2023-51384] ssh-agent(1): when adding PKCS#11-hosted private keys while specifying destination constraints, if the PKCS#11 token returned multiple keys then only the first key had the constraints applied. Use of regular private keys, FIDO tokens and unconstrained keys are unaffected. - [CVE-2023-51385] ssh(1): if an invalid user or hostname that contained shell metacharacters was passed to ssh(1), and a ProxyCommand, LocalCommand directive or "match exec" predicate referenced the user or hostname via %u, %h or similar expansion token, then an attacker who could supply arbitrary user/hostnames to ssh(1) could potentially perform command injection depending on what quoting was present in the user-supplied ssh_config(5) directive. ssh(1) now bans most shell metacharacters from user and hostnames supplied via the command-line. Checksums-Sha1: 0bd01eb57bd9cfd44863c9898566bfa585cc663d 3718260 openssh-client-dbgsym_9.2p1-2+deb12u2_mips64el.deb b58d573fe6ed321eb49bf3ad4cfbbc2fbe336239 340880 openssh-client-udeb_9.2p1-2+deb12u2_mips64el.udeb f635b3f25381a868f00e106338458691ab5d700a 924240 openssh-client_9.2p1-2+deb12u2_mips64el.deb 16ca98bb85cd031ee840e1c37a5b9122b101d70b 975368 openssh-server-dbgsym_9.2p1-2+deb12u2_mips64el.deb 4aa54a10ee19e01a87c22032c85204c0495c4597 359836 openssh-server-udeb_9.2p1-2+deb12u2_mips64el.udeb 81b8d102b7389fffe0f276055eaaf97bfe0af032 394788 openssh-server_9.2p1-2+deb12u2_mips64el.deb 38252e8f2521eb7c593daefafaa1ee3827a5e4d2 172452 openssh-sftp-server-dbgsym_9.2p1-2+deb12u2_mips64el.deb 5b24fc7deaaef3d155fd8d2bca953e1b37586e91 58492 openssh-sftp-server_9.2p1-2+deb12u2_mips64el.deb b24d1cd02f93b711165274e004b558f860fe1c6b 2946824 openssh-tests-dbgsym_9.2p1-2+deb12u2_mips64el.deb 42a37a0de2eb1987470e447df480f5468de60989 1058188 openssh-tests_9.2p1-2+deb12u2_mips64el.deb 3b3f1030fd8e444d995f990192c52322759f10d8 18369 openssh_9.2p1-2+deb12u2_mips64el-buildd.buildinfo 23ec5f1a29bc3ec50279ff35d85cc6efe4ecc3f5 17672 ssh-askpass-gnome-dbgsym_9.2p1-2+deb12u2_mips64el.deb 48960e2029aa66da45bb6e551955fad01c0132b0 187480 ssh-askpass-gnome_9.2p1-2+deb12u2_mips64el.deb Checksums-Sha256: a21bc9c2eff3e2ca09aa2891f6bd72d1daeefa5cb3bc6e05f559fcdb158ce63f 3718260 openssh-client-dbgsym_9.2p1-2+deb12u2_mips64el.deb 28096144ac63e197476675363e09ed7caa63d0642bbd85d82bd0315e6be9699a 340880 openssh-client-udeb_9.2p1-2+deb12u2_mips64el.udeb a8af4c29ffd14ac6fdc59b887b6e0120b4f6b5a3cc7d2709b21014aa2d8ebba4 924240 openssh-client_9.2p1-2+deb12u2_mips64el.deb 5cdb7790ce41fbd85114909aed61de9382e86051d94a71007d92e7aa62a65df4 975368 openssh-server-dbgsym_9.2p1-2+deb12u2_mips64el.deb a52873ca5c2c9c7f757eddd6778dc6874067879915d09c4c2346591d30f00ce7 359836 openssh-server-udeb_9.2p1-2+deb12u2_mips64el.udeb f93107647a53157c5e1d025ba4bc258716c2d115c83c51d91a30d1fb02400238 394788 openssh-server_9.2p1-2+deb12u2_mips64el.deb 7c42c97767889a746c99dbdd766f21fbf4c5e64acfaa41a0c87a605034c01169 172452 openssh-sftp-server-dbgsym_9.2p1-2+deb12u2_mips64el.deb 4e0da5ba9399b09ef1a979be2d0ce229197028df339783023e36306980df3f52 58492 openssh-sftp-server_9.2p1-2+deb12u2_mips64el.deb b9f6c9c7d0380e513e4db10989d04985beab3d60ae0c2dce410c7c6b15c863df 2946824 openssh-tests-dbgsym_9.2p1-2+deb12u2_mips64el.deb 613afc86cb349f4cc03a9fec07bd73c0a2f31fdec8ed9e6c19ab411db86055b5 1058188 openssh-tests_9.2p1-2+deb12u2_mips64el.deb 08a1e5157f9ce6028d27f9da54aae3fa508ae14121c031b170ddbd083985b373 18369 openssh_9.2p1-2+deb12u2_mips64el-buildd.buildinfo b822bd2525557d1725febcfee25eee4d9d7fbaa1ffcfd921147ca9f68acf05df 17672 ssh-askpass-gnome-dbgsym_9.2p1-2+deb12u2_mips64el.deb b30825e5385093c08affc4dcf4bde08e1fa7ffe5073ae46c2386555bf9f0eb6d 187480 ssh-askpass-gnome_9.2p1-2+deb12u2_mips64el.deb Files: 389fe9da999a430dd0be9ccd35b00175 3718260 debug optional openssh-client-dbgsym_9.2p1-2+deb12u2_mips64el.deb e22e5948b19578fab19882679f48e058 340880 debian-installer optional openssh-client-udeb_9.2p1-2+deb12u2_mips64el.udeb d9ccc90d72b1ecd26cdec89ef73cdc03 924240 net standard openssh-client_9.2p1-2+deb12u2_mips64el.deb 3dc98dcad20aa601a2611d2865cdbc77 975368 debug optional openssh-server-dbgsym_9.2p1-2+deb12u2_mips64el.deb 9484de065af05089e9255a30ee9950d0 359836 debian-installer optional openssh-server-udeb_9.2p1-2+deb12u2_mips64el.udeb 6d691fda9946e4a06e45663a8b101feb 394788 net optional openssh-server_9.2p1-2+deb12u2_mips64el.deb a4ecaf73c3bf03319fdbf7056b501526 172452 debug optional openssh-sftp-server-dbgsym_9.2p1-2+deb12u2_mips64el.deb 9888843764eaf023ac29506accac6977 58492 net optional openssh-sftp-server_9.2p1-2+deb12u2_mips64el.deb c70ecf6cc35b3541c0ce79b3d830be7c 2946824 debug optional openssh-tests-dbgsym_9.2p1-2+deb12u2_mips64el.deb 6498ffc872e95b9a2f5eace031264145 1058188 net optional openssh-tests_9.2p1-2+deb12u2_mips64el.deb ce8903c53141332239494fd2759f2564 18369 net standard openssh_9.2p1-2+deb12u2_mips64el-buildd.buildinfo ddda514eaa087c5a4402b50a10d2528a 17672 debug optional ssh-askpass-gnome-dbgsym_9.2p1-2+deb12u2_mips64el.deb 229d4d679003e7434f48f92dc6f7f8ed 187480 gnome optional ssh-askpass-gnome_9.2p1-2+deb12u2_mips64el.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEERCYbPUzzGtvq4mlq066AbFDPUlEFAmWBz/AACgkQ066AbFDP UlHfGhAApLOAfqoXdK9lpUZ3ykeQJCQv2JxyK73v47b81FwwfwqGZe1CNVJYS0vM bL9nHv0PLNc4BQkN1oMLaXNEmYz6dQ2q7a5p6nJqI3JXHTGz0KD432N+TjeJyzcW 49zcvtW6jzAZXSULq2yQYG0AbPT2GufBZMGICSqOiVLwiCOwSRb02gZ/0bCTh9Jy OsXVzrbryedcX5yN2b/mwrik2EH5ynxblW6n5UIVUYhFg2oEPinRn7uhWWD0JM86 t88vU+pT5nS4lBOUoCw027EmZyGOxJX9bZTZsmluuh9tJLbt1YJrg7/gQscumL8T EDU+SrzCgjApLt6FXf72+xHKUcCPF0rJZf0iLNJDETHxcY5G7BtAjRHRwhAaJC0W TC50FhcCRXXoxA/U/mD6UNMhTaKt1h0i7zG7DrqwMuZNqBEFW9TrdUibYGsuqSHZ zIdF/Tuh4KmbDUEPM2EEXsnCgeIzoJVQfZbfkXhIFHE7gCmHY/AhIQDMmv/nXn6W Ekxgqy+lYETQOXg9PunlyHRFKL88eW81HahsbJCbTxzG14LecwIusHHvCQ1cWONv Kpb7vQ/DLy9aVjBw22vJseeZ0qMkyArelM7fA1qvyYdyg0HtrOl0ceTtRJw9Sygu PHcExIXrsZCg1kdV3vBnSNEB3zWZcpKFhUwyb7l7VcOwt/EHmdo= =yegd -----END PGP SIGNATURE-----