-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 19 Dec 2023 14:51:56 +0000 Source: openssh Binary: openssh-client openssh-client-dbgsym openssh-client-udeb openssh-server openssh-server-dbgsym openssh-server-udeb openssh-sftp-server openssh-sftp-server-dbgsym openssh-tests openssh-tests-dbgsym ssh-askpass-gnome ssh-askpass-gnome-dbgsym Architecture: s390x Version: 1:9.2p1-2+deb12u2 Distribution: bookworm-security Urgency: medium Maintainer: s390x Build Daemon (zandonai) Changed-By: Colin Watson Description: openssh-client - secure shell (SSH) client, for secure access to remote machines openssh-client-udeb - secure shell client for the Debian installer (udeb) openssh-server - secure shell (SSH) server, for secure access from remote machines openssh-server-udeb - secure shell server for the Debian installer (udeb) openssh-sftp-server - secure shell (SSH) sftp server module, for SFTP access from remot openssh-tests - OpenSSH regression tests ssh-askpass-gnome - interactive X program to prompt users for a passphrase for ssh-ad Closes: 1033166 Changes: openssh (1:9.2p1-2+deb12u2) bookworm-security; urgency=medium . * Cherry-pick from upstream: - [CVE-2023-28531] ssh-add(1): when adding smartcard keys to ssh-agent(1) with the per-hop destination constraints (ssh-add -h ...) added in OpenSSH 8.9, a logic error prevented the constraints from being communicated to the agent. This resulted in the keys being added without constraints. The common cases of non-smartcard keys and keys without destination constraints are unaffected. This problem was reported by Luci Stanescu (closes: #1033166). - [CVE-2023-48795] ssh(1), sshd(8): implement protocol extensions to thwart the so-called "Terrapin attack" discovered by Fabian Bäumer, Marcus Brinkmann and Jörg Schwenk. This attack allows a MITM to effect a limited break of the integrity of the early encrypted SSH transport protocol by sending extra messages prior to the commencement of encryption, and deleting an equal number of consecutive messages immediately after encryption starts. A peer SSH client/server would not be able to detect that messages were deleted. - [CVE-2023-51384] ssh-agent(1): when adding PKCS#11-hosted private keys while specifying destination constraints, if the PKCS#11 token returned multiple keys then only the first key had the constraints applied. Use of regular private keys, FIDO tokens and unconstrained keys are unaffected. - [CVE-2023-51385] ssh(1): if an invalid user or hostname that contained shell metacharacters was passed to ssh(1), and a ProxyCommand, LocalCommand directive or "match exec" predicate referenced the user or hostname via %u, %h or similar expansion token, then an attacker who could supply arbitrary user/hostnames to ssh(1) could potentially perform command injection depending on what quoting was present in the user-supplied ssh_config(5) directive. ssh(1) now bans most shell metacharacters from user and hostnames supplied via the command-line. Checksums-Sha1: e71ef8d27040d9d2f8521943092287bfa96d281e 3507288 openssh-client-dbgsym_9.2p1-2+deb12u2_s390x.deb 25da7eb21e886a3a6a7a97d0f6c47b22d6a5a05e 334164 openssh-client-udeb_9.2p1-2+deb12u2_s390x.udeb 6976ab212c1f6605595a603699293a3795c57dc5 894048 openssh-client_9.2p1-2+deb12u2_s390x.deb f9da71cc3dcd35d7c2edf8acce747125233dc1ee 928168 openssh-server-dbgsym_9.2p1-2+deb12u2_s390x.deb d9ee93364045f23e1d666f840ba37209c90d6617 348544 openssh-server-udeb_9.2p1-2+deb12u2_s390x.udeb e20097756558c1a567d46f94b38c60628653a4ad 400532 openssh-server_9.2p1-2+deb12u2_s390x.deb 7912915b9676dbbfa3e9b5323121abb610072f3c 163508 openssh-sftp-server-dbgsym_9.2p1-2+deb12u2_s390x.deb 126d1604b72041cda11bfb843385e10d6017e027 57856 openssh-sftp-server_9.2p1-2+deb12u2_s390x.deb 098cec199d41e9ea7463f6c8e92acc10117dbbdf 2742644 openssh-tests-dbgsym_9.2p1-2+deb12u2_s390x.deb f2dc9c8fd2aa23bdbdcad91f12c406e4bf70d9aa 996440 openssh-tests_9.2p1-2+deb12u2_s390x.deb c5e5102a11afb3dc7dea91860f2aece89c303fba 18267 openssh_9.2p1-2+deb12u2_s390x-buildd.buildinfo c235dc51855ed4fabf002527a072c2e3d7b8905c 16684 ssh-askpass-gnome-dbgsym_9.2p1-2+deb12u2_s390x.deb 68d1502e0aa53cd0be9950346565da5aefa42a31 187428 ssh-askpass-gnome_9.2p1-2+deb12u2_s390x.deb Checksums-Sha256: 3eb26240ed0d811c66485829a3f1096b19bc8b15e4cc2a185cd71dc7b1af77c9 3507288 openssh-client-dbgsym_9.2p1-2+deb12u2_s390x.deb 6e3893b6907a2e8d55ac05f854841cf5ad5db0dbbce60108408eb22d38a03821 334164 openssh-client-udeb_9.2p1-2+deb12u2_s390x.udeb 071944a4be951d8429dbea169cf80e2be1bfc8402431cc1580053549cff1f4d8 894048 openssh-client_9.2p1-2+deb12u2_s390x.deb c56215b9e6139ae831b7a74081f36d4c70e7f460e062c7e08728ced97cee0977 928168 openssh-server-dbgsym_9.2p1-2+deb12u2_s390x.deb 9f6ea3c0db633817d4803bc1c7cdc2fd11659ffd42f1c27255f8e1a0629d3b81 348544 openssh-server-udeb_9.2p1-2+deb12u2_s390x.udeb 4d551cc518378e457d9b31778609adc73c8f532dea789e9888114232f8194779 400532 openssh-server_9.2p1-2+deb12u2_s390x.deb bfb7aa8c961e6f7fcdec29351c4b67f03e502fdb090ba3230d3fbb26493f12c2 163508 openssh-sftp-server-dbgsym_9.2p1-2+deb12u2_s390x.deb 10bfbad3a7bd6edc5bde125577a79f77a2195dad63135dd3b7931f2271efda76 57856 openssh-sftp-server_9.2p1-2+deb12u2_s390x.deb ccf7672d1f5352e3e6a142569f5e1e2c2915842a383599b24580fc5843eae196 2742644 openssh-tests-dbgsym_9.2p1-2+deb12u2_s390x.deb 4fffdabdeb38d18298e9ca90090adbc33abf9698ee2c0b45eb69e5a8132ce8bc 996440 openssh-tests_9.2p1-2+deb12u2_s390x.deb 616f53da93900aa2b011c57c473fe4eca74b564fc7e9d78991446e81c7e027d2 18267 openssh_9.2p1-2+deb12u2_s390x-buildd.buildinfo 62bd7f64be25bf1f415bcb5dd32997b15dd66d181f8f3971c1184389ced5c745 16684 ssh-askpass-gnome-dbgsym_9.2p1-2+deb12u2_s390x.deb 3eddc1b019a79501048e6de02c017a85fe0926dedb84f7cc416a6b3da1850356 187428 ssh-askpass-gnome_9.2p1-2+deb12u2_s390x.deb Files: ca999039daf3f0d2c33f18706c17b57f 3507288 debug optional openssh-client-dbgsym_9.2p1-2+deb12u2_s390x.deb 9116e1032d0994829811968ad9d99779 334164 debian-installer optional openssh-client-udeb_9.2p1-2+deb12u2_s390x.udeb a1ed2490762097090ed83ce2445a5fb6 894048 net standard openssh-client_9.2p1-2+deb12u2_s390x.deb b0fe58ebf3bb3f319e39988a7882e1c1 928168 debug optional openssh-server-dbgsym_9.2p1-2+deb12u2_s390x.deb ae473df2b810886c9e66a7192ff1bc20 348544 debian-installer optional openssh-server-udeb_9.2p1-2+deb12u2_s390x.udeb 7f756a945c932b315564cf60662175bc 400532 net optional openssh-server_9.2p1-2+deb12u2_s390x.deb 741c55bf2a3dff7ef4c1b3fb543baa91 163508 debug optional openssh-sftp-server-dbgsym_9.2p1-2+deb12u2_s390x.deb 73ae39f9dd77a47192518832f5f8735e 57856 net optional openssh-sftp-server_9.2p1-2+deb12u2_s390x.deb 4cf56225811a5139e52278729b73340d 2742644 debug optional openssh-tests-dbgsym_9.2p1-2+deb12u2_s390x.deb ab6c8471580e1bd2589b1aca939005ba 996440 net optional openssh-tests_9.2p1-2+deb12u2_s390x.deb e03a689868aa8445332a40e26c240d6b 18267 net standard openssh_9.2p1-2+deb12u2_s390x-buildd.buildinfo 76bf0c2ae66541da4fabfed5c39e8212 16684 debug optional ssh-askpass-gnome-dbgsym_9.2p1-2+deb12u2_s390x.deb df0206eca3b5719ad3bd3ebd62d41056 187428 gnome optional ssh-askpass-gnome_9.2p1-2+deb12u2_s390x.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEctqRAwcjFMIrbct74euoNlQ3ywQFAmWBwngACgkQ4euoNlQ3 ywR0+xAAgvZ4KLLgdDHdFZ6imRk50t576pu8QvzRyZLaGZArG+rOXFBYnNgVDDwr jgvTXsCn3/yrfV3grzWctAJg0zp+dV67llRcnm1fy7k42s42GITV+aNqkszVBm4s 4UIN3RL+CfcPkE2FGrQC1Glk9aJIVvCUiMKJyIvipqV27K0GQqXyl/FoJp1FdN2a BlFlCrwuhCxJGgVJlK/dmUnrefPOSv2pt07KKB800MF9wezhDv5WvnKtpEgi0PKA dozfG4NG+n193XAydzHYQPk0fBYRxhCg+3P/FYRsq1T5jIbo3SnLdKzdoASJ+t6/ mxS5tb65Il8gQpBuCqMSXxpq0FZjMb5P5gTANPysLyY4IMRYoWfBnVwqqZ6FWjV3 pQ/C9BxYopniFBSq46K/JXYsSgXF/qU/J8MXJ/TR5G2qQwZ0Ihx4YXRZgP1Z9vxU yqi290thyhMs05dpckmejf/W6HJndxifzQsfBqaDbrPLFWR1BYG2g5slRSP0OwhT niqX1X2jRQWuOWZzqD80Xjqux79Dsryd/nbBOBSiDhoTC4J4Dj6l1sJ8GibpawR3 s5y9hs44oc66RyYwsZCeEUSxKMDEsHttZyI95PPRFn6RuooU6gaRP1bMatpY1Jy+ xp43U+Xm2AsovIbdqq2QwUb/BUJmlFkggsQtJUI/MX5Js+jJ+aE= =r70p -----END PGP SIGNATURE-----