-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 19 Dec 2023 14:51:56 +0000 Source: openssh Binary: openssh-client openssh-client-dbgsym openssh-client-udeb openssh-server openssh-server-dbgsym openssh-server-udeb openssh-sftp-server openssh-sftp-server-dbgsym openssh-tests openssh-tests-dbgsym ssh-askpass-gnome ssh-askpass-gnome-dbgsym Architecture: mipsel Version: 1:9.2p1-2+deb12u2 Distribution: bookworm-security Urgency: medium Maintainer: mipsel Build Daemon (mipsel-osuosl-03) Changed-By: Colin Watson Description: openssh-client - secure shell (SSH) client, for secure access to remote machines openssh-client-udeb - secure shell client for the Debian installer (udeb) openssh-server - secure shell (SSH) server, for secure access from remote machines openssh-server-udeb - secure shell server for the Debian installer (udeb) openssh-sftp-server - secure shell (SSH) sftp server module, for SFTP access from remot openssh-tests - OpenSSH regression tests ssh-askpass-gnome - interactive X program to prompt users for a passphrase for ssh-ad Closes: 1033166 Changes: openssh (1:9.2p1-2+deb12u2) bookworm-security; urgency=medium . * Cherry-pick from upstream: - [CVE-2023-28531] ssh-add(1): when adding smartcard keys to ssh-agent(1) with the per-hop destination constraints (ssh-add -h ...) added in OpenSSH 8.9, a logic error prevented the constraints from being communicated to the agent. This resulted in the keys being added without constraints. The common cases of non-smartcard keys and keys without destination constraints are unaffected. This problem was reported by Luci Stanescu (closes: #1033166). - [CVE-2023-48795] ssh(1), sshd(8): implement protocol extensions to thwart the so-called "Terrapin attack" discovered by Fabian Bäumer, Marcus Brinkmann and Jörg Schwenk. This attack allows a MITM to effect a limited break of the integrity of the early encrypted SSH transport protocol by sending extra messages prior to the commencement of encryption, and deleting an equal number of consecutive messages immediately after encryption starts. A peer SSH client/server would not be able to detect that messages were deleted. - [CVE-2023-51384] ssh-agent(1): when adding PKCS#11-hosted private keys while specifying destination constraints, if the PKCS#11 token returned multiple keys then only the first key had the constraints applied. Use of regular private keys, FIDO tokens and unconstrained keys are unaffected. - [CVE-2023-51385] ssh(1): if an invalid user or hostname that contained shell metacharacters was passed to ssh(1), and a ProxyCommand, LocalCommand directive or "match exec" predicate referenced the user or hostname via %u, %h or similar expansion token, then an attacker who could supply arbitrary user/hostnames to ssh(1) could potentially perform command injection depending on what quoting was present in the user-supplied ssh_config(5) directive. ssh(1) now bans most shell metacharacters from user and hostnames supplied via the command-line. Checksums-Sha1: 2d10daeab5c8cb48364fe0e82f6f0eae36f9ddc4 3642552 openssh-client-dbgsym_9.2p1-2+deb12u2_mipsel.deb a5338be49b62105368099f3a03a673dad7945920 356040 openssh-client-udeb_9.2p1-2+deb12u2_mipsel.udeb 965d5c195eab9a8a21090e5aa85a77ec5ea5f901 947396 openssh-client_9.2p1-2+deb12u2_mipsel.deb 5188eb2b9b608abdda6b28ec1d9b0efab45c64d7 952304 openssh-server-dbgsym_9.2p1-2+deb12u2_mipsel.deb a6ac3e761e5c295cb9db34e9f3af9de56fd184e8 375228 openssh-server-udeb_9.2p1-2+deb12u2_mipsel.udeb f09528e00f43bafec83c924dbe0efa66fd805f9e 409816 openssh-server_9.2p1-2+deb12u2_mipsel.deb 4eb1387c5e2719da029f29c7e1cab8ef0a8955eb 171076 openssh-sftp-server-dbgsym_9.2p1-2+deb12u2_mipsel.deb 9d453cc1e80510eb6d745c4b517515ce7334de23 62756 openssh-sftp-server_9.2p1-2+deb12u2_mipsel.deb 1006eef405d81ad426f494e72ffe3283caf2adcf 2883744 openssh-tests-dbgsym_9.2p1-2+deb12u2_mipsel.deb 5c10afab60b774686d8ad5f975734025cd386cf2 1062780 openssh-tests_9.2p1-2+deb12u2_mipsel.deb d4693bda59f43ad899879c6ffbb477326f532dfe 18289 openssh_9.2p1-2+deb12u2_mipsel-buildd.buildinfo d2b2988270575c2796f52ebdfa460cb2f6b5b516 17416 ssh-askpass-gnome-dbgsym_9.2p1-2+deb12u2_mipsel.deb 2d7a651272ea14e97d93d6fb72f368c3e9ba18aa 187416 ssh-askpass-gnome_9.2p1-2+deb12u2_mipsel.deb Checksums-Sha256: f8b9d95160b6219147ed87584a53054e115f12fe919c22ce1423ab6208bee1e4 3642552 openssh-client-dbgsym_9.2p1-2+deb12u2_mipsel.deb 0365107eaa054d63c69570adb52c32e5680de8d494ca80b445eae21ce5fd42ee 356040 openssh-client-udeb_9.2p1-2+deb12u2_mipsel.udeb 41b19eb80dc557d86343767d2b9532fca59d45ec9d346176c3f7a935ab18c5cb 947396 openssh-client_9.2p1-2+deb12u2_mipsel.deb e37c63735b5196cd124165433bf8151f618f0892dd5683e1e27e9f28b647d0c1 952304 openssh-server-dbgsym_9.2p1-2+deb12u2_mipsel.deb c032b6acc3e952c4ea5b9786b526ee528779024c85d85eb8056d5fdeeb16b924 375228 openssh-server-udeb_9.2p1-2+deb12u2_mipsel.udeb 41d9ddbf5c549058e1d73cc0d78d4772d856efb3a7dca33606e9860b9bebfcfa 409816 openssh-server_9.2p1-2+deb12u2_mipsel.deb 241e71afdb81b281122525b49a548c0519bacbf0fba450494da3185945a69a5b 171076 openssh-sftp-server-dbgsym_9.2p1-2+deb12u2_mipsel.deb 546d66741d89c4fd5d57a33c7d3efa27bc5a4e22fbc98a1a740a9fa35d616e35 62756 openssh-sftp-server_9.2p1-2+deb12u2_mipsel.deb 5443fd63ebb891a726cfc39b7e33733c3d82a79d2580ce6c752cf4c2c32f18fd 2883744 openssh-tests-dbgsym_9.2p1-2+deb12u2_mipsel.deb f176500c0c23619196376eaf0097d731856ac1ca750fee15bf8640082b2b8566 1062780 openssh-tests_9.2p1-2+deb12u2_mipsel.deb ef459c162a0185296d860a0103fa7064524851cafff72fac9b7be6233b1d898b 18289 openssh_9.2p1-2+deb12u2_mipsel-buildd.buildinfo c9b5c695be0b2a818bbacc1505ce99579d8cc25a38304a2fb230eef3cf59b98e 17416 ssh-askpass-gnome-dbgsym_9.2p1-2+deb12u2_mipsel.deb 8314e5fd481a7d96a7ecb57f094e5b15c097f5f5eb263f5df99883aedd81e248 187416 ssh-askpass-gnome_9.2p1-2+deb12u2_mipsel.deb Files: e8919f97ba39587ea96a8556ceca96bd 3642552 debug optional openssh-client-dbgsym_9.2p1-2+deb12u2_mipsel.deb 4c30b29da978a7afad026f4cdf15aaba 356040 debian-installer optional openssh-client-udeb_9.2p1-2+deb12u2_mipsel.udeb b822b15df0f046503ea40f6d240f9786 947396 net standard openssh-client_9.2p1-2+deb12u2_mipsel.deb 10118e245651a2d2ffea771a52f83271 952304 debug optional openssh-server-dbgsym_9.2p1-2+deb12u2_mipsel.deb 703b5117b0a3967e1dd5f73702badc39 375228 debian-installer optional openssh-server-udeb_9.2p1-2+deb12u2_mipsel.udeb 8ae80eacc40ea9768a92f48b53ce3d73 409816 net optional openssh-server_9.2p1-2+deb12u2_mipsel.deb 726ce6a06c2340c507aa62f598ddecd4 171076 debug optional openssh-sftp-server-dbgsym_9.2p1-2+deb12u2_mipsel.deb d258cb9909f812e58ce6833cc4b2d981 62756 net optional openssh-sftp-server_9.2p1-2+deb12u2_mipsel.deb fbf0f8a3b19a1ee402792d664b6a6fdd 2883744 debug optional openssh-tests-dbgsym_9.2p1-2+deb12u2_mipsel.deb d196f165060bfe68d057c01c36db780d 1062780 net optional openssh-tests_9.2p1-2+deb12u2_mipsel.deb c43eaf87578054213dc248bd88c540fe 18289 net standard openssh_9.2p1-2+deb12u2_mipsel-buildd.buildinfo e4ee0702f553541a707fbdc2645e8dea 17416 debug optional ssh-askpass-gnome-dbgsym_9.2p1-2+deb12u2_mipsel.deb c8b3215a99125dabb9101dfacd52c81e 187416 gnome optional ssh-askpass-gnome_9.2p1-2+deb12u2_mipsel.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEXUZVEjohYGA7PDpMojl408mCs9YFAmWBw48ACgkQojl408mC s9ar/w//bD8RljCi4OphN+Oh2TlfWPlN7l56dClbZkGQ19ch1+AEGTsCpKZUARD7 +GyRG7SJ3IPnjj1fXBjtUkRRwvvjpILkhFmz4gRtv1r9gnEVQguDgSRucViej+6N zSzZ3w8TrWnuy5NM/+N3oIGNGgoppR3Oeb+OidAuf1zCvcBU8vI754Nh/Bw2wvfK i1A3i58kAziF+I+pr7GqexY0QuX+Zep+Oc1vlrixik5q2hMNKYEJNAiu36krXDQ8 tJh6rZ3KK3R1IrHCBMjXP7lToWjvdaM4fTv6qD5l/yGeRxOaP9Viyy56gYojNy3Z 64yhd/hU7z55LicUC6swkXd1EAjUjS42mZGr3g4KhoMUhSDc7fK/VFpg8X7NGoTA ReAwktkB2hjOegrgL5jmt3AOhLETHvUz4pXOpNk0N4lj4LvzocMTY3uOIcP94LQH uJpTajy2x6EaAOZylXB3lrGoGHrypoHcytRxGGZSBZV+R6xZgx8vi/Zn8JUiuMZE GtM7mu89VA+wI+gwGRAkQMfZRnkHFLnAx8tH1Z2vWPCtp7Y/eYgdnhnMbV1C6mj3 OVAydNRTyK3W1VTQOPyjUSmwuIFrVXdDIQXbyZeFsSEGjWTzx3Qsqcn1nFn8U+Fo 82dpPJDuIyYkNyo9TFjhBOEjDM942zKavfO5aw5O5EhGeEdxz4Y= =gPhl -----END PGP SIGNATURE-----