-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 19 Dec 2023 14:51:56 +0000 Source: openssh Binary: openssh-client openssh-client-dbgsym openssh-client-udeb openssh-server openssh-server-dbgsym openssh-server-udeb openssh-sftp-server openssh-sftp-server-dbgsym openssh-tests openssh-tests-dbgsym ssh-askpass-gnome ssh-askpass-gnome-dbgsym Architecture: ppc64el Version: 1:9.2p1-2+deb12u2 Distribution: bookworm-security Urgency: medium Maintainer: ppc64el Build Daemon (ppc64el-conova-01) Changed-By: Colin Watson Description: openssh-client - secure shell (SSH) client, for secure access to remote machines openssh-client-udeb - secure shell client for the Debian installer (udeb) openssh-server - secure shell (SSH) server, for secure access from remote machines openssh-server-udeb - secure shell server for the Debian installer (udeb) openssh-sftp-server - secure shell (SSH) sftp server module, for SFTP access from remot openssh-tests - OpenSSH regression tests ssh-askpass-gnome - interactive X program to prompt users for a passphrase for ssh-ad Closes: 1033166 Changes: openssh (1:9.2p1-2+deb12u2) bookworm-security; urgency=medium . * Cherry-pick from upstream: - [CVE-2023-28531] ssh-add(1): when adding smartcard keys to ssh-agent(1) with the per-hop destination constraints (ssh-add -h ...) added in OpenSSH 8.9, a logic error prevented the constraints from being communicated to the agent. This resulted in the keys being added without constraints. The common cases of non-smartcard keys and keys without destination constraints are unaffected. This problem was reported by Luci Stanescu (closes: #1033166). - [CVE-2023-48795] ssh(1), sshd(8): implement protocol extensions to thwart the so-called "Terrapin attack" discovered by Fabian Bäumer, Marcus Brinkmann and Jörg Schwenk. This attack allows a MITM to effect a limited break of the integrity of the early encrypted SSH transport protocol by sending extra messages prior to the commencement of encryption, and deleting an equal number of consecutive messages immediately after encryption starts. A peer SSH client/server would not be able to detect that messages were deleted. - [CVE-2023-51384] ssh-agent(1): when adding PKCS#11-hosted private keys while specifying destination constraints, if the PKCS#11 token returned multiple keys then only the first key had the constraints applied. Use of regular private keys, FIDO tokens and unconstrained keys are unaffected. - [CVE-2023-51385] ssh(1): if an invalid user or hostname that contained shell metacharacters was passed to ssh(1), and a ProxyCommand, LocalCommand directive or "match exec" predicate referenced the user or hostname via %u, %h or similar expansion token, then an attacker who could supply arbitrary user/hostnames to ssh(1) could potentially perform command injection depending on what quoting was present in the user-supplied ssh_config(5) directive. ssh(1) now bans most shell metacharacters from user and hostnames supplied via the command-line. Checksums-Sha1: 96cf0f840e3c2186a00d9e897a3cc5c9ea925639 3660632 openssh-client-dbgsym_9.2p1-2+deb12u2_ppc64el.deb 02bcbf1aa91efeeb9aaf2e14f7f4478878d057f2 349540 openssh-client-udeb_9.2p1-2+deb12u2_ppc64el.udeb 2683fb32696152bd15cc6508bcff4f948e0cc0c9 1002556 openssh-client_9.2p1-2+deb12u2_ppc64el.deb f3acc7f0f31044193daae4fed13efa6e7a33cc71 964908 openssh-server-dbgsym_9.2p1-2+deb12u2_ppc64el.deb 793d6ead346b5afad97f413298e67a17d48e2d66 366420 openssh-server-udeb_9.2p1-2+deb12u2_ppc64el.udeb 321a4559e5f7ae6a347ed9aebabed28721458168 465436 openssh-server_9.2p1-2+deb12u2_ppc64el.deb 48826b07dde9e67a1633694231fd4f0cc1f8ae19 170192 openssh-sftp-server-dbgsym_9.2p1-2+deb12u2_ppc64el.deb c39cea9bcc3199256d16ce4efd44d24b4c84a930 70192 openssh-sftp-server_9.2p1-2+deb12u2_ppc64el.deb c3b136cb0493130b5406d6405cfb2b3765a0b4a6 2896744 openssh-tests-dbgsym_9.2p1-2+deb12u2_ppc64el.deb fe19eeb1b9b9371b65fd30724decdb720f1ff1d6 1057044 openssh-tests_9.2p1-2+deb12u2_ppc64el.deb 02018b6c1c741c0eb66111314267ea8cabc8793e 18489 openssh_9.2p1-2+deb12u2_ppc64el-buildd.buildinfo 4ba5b94a61629d98c88ff3b1d98b6ba288c54c3b 17300 ssh-askpass-gnome-dbgsym_9.2p1-2+deb12u2_ppc64el.deb 01b4125d6aff77d3f486a8263e63a47ba539caa1 187704 ssh-askpass-gnome_9.2p1-2+deb12u2_ppc64el.deb Checksums-Sha256: 6c75bb4de006b6060bed449803452590fe38cd0c3d4eb7d1013ada9a2f788c23 3660632 openssh-client-dbgsym_9.2p1-2+deb12u2_ppc64el.deb fb77122a6caf953542f4d24f43d2e7292b516015f823c369fdb49256ad3edf89 349540 openssh-client-udeb_9.2p1-2+deb12u2_ppc64el.udeb bd24c168aae1aef58eae794b8012f1b7784c673ac9fbcfe078eb0f6b36c006f8 1002556 openssh-client_9.2p1-2+deb12u2_ppc64el.deb 5c3907ad0b970ba321e06cba2f5ddaddd83ea090d4f9eb3064841b16fda69d6c 964908 openssh-server-dbgsym_9.2p1-2+deb12u2_ppc64el.deb 96cfcb763f22d29994c47b8eea3c7b6de0bc1762366f2738b94e5b532ea95b7e 366420 openssh-server-udeb_9.2p1-2+deb12u2_ppc64el.udeb 2356c33508af076e65691eb36c9f2026e7bc6b3f910236d87b0f6d116acb1ce8 465436 openssh-server_9.2p1-2+deb12u2_ppc64el.deb bbff8fdbcc67a973d4af41afd868b6ae0675b7f3b7a2ccfd54242b8737aee3de 170192 openssh-sftp-server-dbgsym_9.2p1-2+deb12u2_ppc64el.deb 97da09524602ddb3e41a43a963cdd0eefab006eb763b4c4d25fb6f69254f4ba6 70192 openssh-sftp-server_9.2p1-2+deb12u2_ppc64el.deb dfe0b77177c24bba3583dbba7b8566b9c2f1382ac2a56e3eef546fb3f2485744 2896744 openssh-tests-dbgsym_9.2p1-2+deb12u2_ppc64el.deb 31b21cd646176b8b9f545fe4bfc4009bb23b15d136c183dc93b68fc9630379ac 1057044 openssh-tests_9.2p1-2+deb12u2_ppc64el.deb 5619100526b1202d1fbe2b196a3da39b04a65426e54b01b6d832f5120f8eaaff 18489 openssh_9.2p1-2+deb12u2_ppc64el-buildd.buildinfo 2116c8399d2a71691fdc76f87fca8fb7b53a6d8160e6cd636e9becf784b004da 17300 ssh-askpass-gnome-dbgsym_9.2p1-2+deb12u2_ppc64el.deb 56be8353f04d363e1c9f8269f1bce7747d6570c5b86cd62286ebededf0493c27 187704 ssh-askpass-gnome_9.2p1-2+deb12u2_ppc64el.deb Files: 3559f61e467dae960f4023d0a552e571 3660632 debug optional openssh-client-dbgsym_9.2p1-2+deb12u2_ppc64el.deb 50d1a7c3ee49f0f23d11287b010d3fc6 349540 debian-installer optional openssh-client-udeb_9.2p1-2+deb12u2_ppc64el.udeb 65761f63788a6cb55e55e9775d29ec67 1002556 net standard openssh-client_9.2p1-2+deb12u2_ppc64el.deb 2113cfbdc85cb842a186add073a8cc19 964908 debug optional openssh-server-dbgsym_9.2p1-2+deb12u2_ppc64el.deb 760bb24e3c2abea5d360da88099068c3 366420 debian-installer optional openssh-server-udeb_9.2p1-2+deb12u2_ppc64el.udeb 2c5989ef161e28d8c9bab2fb2b212dfe 465436 net optional openssh-server_9.2p1-2+deb12u2_ppc64el.deb cf505fe492f7d27a7e34c323870d2fe6 170192 debug optional openssh-sftp-server-dbgsym_9.2p1-2+deb12u2_ppc64el.deb 0ed4b343a466b676ac8586d9b836deb3 70192 net optional openssh-sftp-server_9.2p1-2+deb12u2_ppc64el.deb 53aaa18bb25eb8283cf2465c4c6b9e26 2896744 debug optional openssh-tests-dbgsym_9.2p1-2+deb12u2_ppc64el.deb 98fc091224477a267cbba270f2f99798 1057044 net optional openssh-tests_9.2p1-2+deb12u2_ppc64el.deb 9c84373cb2aa5a579db9afd451405074 18489 net standard openssh_9.2p1-2+deb12u2_ppc64el-buildd.buildinfo b3d4ce55b632649765c6252dbe81cade 17300 debug optional ssh-askpass-gnome-dbgsym_9.2p1-2+deb12u2_ppc64el.deb b10cbff552fc09e06d787174c3132672 187704 gnome optional ssh-askpass-gnome_9.2p1-2+deb12u2_ppc64el.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE8YyVP0bbbFwKPsGN0jKBgzfto4IFAmWBwDwACgkQ0jKBgzft o4LKHA//Zm2vOdbX6UkR4vXsJCpUi04P1IlS9qRyKvZUbpINg0csv6GhE0f1PCuc c87XvBDLUVqaKhLQAO97twqkEoIZFTAu7OhPlMnfx2LbnAWHd+rZ1daf3eMhh6cj 1f7c4Y+5IGp0jucjhr44UoDw21vR1nbB+yrjRN3F7HP/GjkXIjNarBeQK9GAPdcW bxnYzYJh4Hgz37toGWThDhbdYc6yMjhcBA5nH+mI+TDjG95ilKPZ+jeJq7EOZHAa X9lReXcSECTclIOacdrn5I+E9hJmJ6S5ZFauQOlf6gRB+cxMqXv7oZdnUzSx5tKS qn7itdooJlz9+jSf22aBDoDhzvylfxdcL1Y6/DH6SDl+ALj8muyB/Yx/oryC4rFu Gb4kvjr7gGumj2d04HghFpr5Y30Mw05HEgfEC6RuY/11dNt+i+NQMWzR0tVcLlGs MlGfQUyObjHfpdxkLpleuFy1Ba3YMo+zaIV6uanZnKtTm5HuHhkNEvDcaZF+IJeo anQLkaSTs1SOrPO5I9BYWeiLx2rtVQKO3qI3UGUzItHVu8HXA8euwGMOOduesZM3 F6jarVc5nLkWONqaM6feJMhTVRzK12q5L+h2APiyUtDwOicRALOknJHI8JEUzjiS pATx4C6zjuW6aFTAvMvsD+MuKQGtsxXY86S0k5Sh/Gfwd8/QvEs= =/OLs -----END PGP SIGNATURE-----