Compare commits
12 Commits
| Author | SHA256 | Date | |
|---|---|---|---|
| 0d305de5bd | |||
| 27b8b8121b | |||
| d7be2fe3a1 | |||
| 75e67e0125 | |||
| bfa8007fe2 | |||
| 65ef2ab48d | |||
| 05fab502ac | |||
| 1488742120 | |||
| a43d262c60 | |||
| 52f4a98fb9 | |||
| d95e3a2cc4 | |||
| 37c1544655 |
54
CVE-2025-47913.patch
Normal file
54
CVE-2025-47913.patch
Normal file
@@ -0,0 +1,54 @@
|
||||
From 2de8ea5d01b38bc555bc0ea8d00fc701841c571d Mon Sep 17 00:00:00 2001
|
||||
From: Nicola Murino <nicola.murino@gmail.com>
|
||||
Date: Sun, 31 Aug 2025 20:07:32 +0200
|
||||
Subject: [PATCH] ssh/agent: return an error for unexpected message types
|
||||
|
||||
Previously, receiving an unexpected message type in response to a key
|
||||
listing or a signing request could cause a panic due to a failed type
|
||||
assertion.
|
||||
|
||||
This change adds a default case to the type switch in order to detect
|
||||
and explicitly handle unknown or invalid message types, returning a
|
||||
descriptive error instead of crashing.
|
||||
|
||||
Fixes golang/go#75178
|
||||
|
||||
Change-Id: Icbc3432adc79fe3c56b1ff23c6724d7a6f710f3a
|
||||
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/700295
|
||||
Reviewed-by: Roland Shoemaker <roland@golang.org>
|
||||
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
|
||||
Reviewed-by: Michael Pratt <mpratt@google.com>
|
||||
Reviewed-by: Jakub Ciolek <jakub@ciolek.dev>
|
||||
---
|
||||
ssh/agent/client.go | 6 ++++--
|
||||
1 file changed, 4 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/ssh/agent/client.go b/ssh/agent/client.go
|
||||
index 37525e1..b357e18 100644
|
||||
--- a/ssh/agent/client.go
|
||||
+++ b/ssh/agent/client.go
|
||||
@@ -430,8 +430,9 @@ func (c *client) List() ([]*Key, error) {
|
||||
return keys, nil
|
||||
case *failureAgentMsg:
|
||||
return nil, errors.New("agent: failed to list keys")
|
||||
+ default:
|
||||
+ return nil, fmt.Errorf("agent: failed to list keys, unexpected message type %T", msg)
|
||||
}
|
||||
- panic("unreachable")
|
||||
}
|
||||
|
||||
// Sign has the agent sign the data using a protocol 2 key as defined
|
||||
@@ -462,8 +463,9 @@ func (c *client) SignWithFlags(key ssh.PublicKey, data []byte, flags SignatureFl
|
||||
return &sig, nil
|
||||
case *failureAgentMsg:
|
||||
return nil, errors.New("agent: failed to sign challenge")
|
||||
+ default:
|
||||
+ return nil, fmt.Errorf("agent: failed to sign challenge, unexpected message type %T", msg)
|
||||
}
|
||||
- panic("unreachable")
|
||||
}
|
||||
|
||||
// unmarshal parses an agent message in packet, returning the parsed
|
||||
--
|
||||
2.51.1
|
||||
|
||||
Binary file not shown.
3
amazon-ssm-agent-3.3.3598.0.tar.gz
Normal file
3
amazon-ssm-agent-3.3.3598.0.tar.gz
Normal file
@@ -0,0 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:e892600cd0b24d29e4d574c2102bb6821359ccfda9f57ccae29a510620753d0a
|
||||
size 32205624
|
||||
@@ -1,3 +1,83 @@
|
||||
-------------------------------------------------------------------
|
||||
Mon Jan 5 12:39:50 UTC 2026 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
|
||||
|
||||
- Update to version 3.3.3598.0
|
||||
* Allow Patch execution to persist across reboots not registered to SSM Agent
|
||||
- from version 3.3.3572.0
|
||||
* Fix ENV_VAR interpolation to work correctly with parameter store value
|
||||
* Implement immediate retries for failed reply messages to MGS for RunCommand documents
|
||||
* Improve ssm-cli get-diagnostics command log output
|
||||
* Support DomainJoin endpoint for EU sovereign cloud
|
||||
* Support dualstack S3 endpoint for distributor packages
|
||||
* Upgrade Go version to 1.24.11
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Nov 18 09:53:32 UTC 2025 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
|
||||
|
||||
- Add CVE-2025-47913.patch to fix an SSH client process terminating
|
||||
when receiving an unexpected message type in response to a key
|
||||
listing or signing request (bsc#1253611, CVE-2025-47913)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Oct 23 13:12:38 UTC 2025 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
|
||||
|
||||
- Update to version 3.3.3270.0
|
||||
* Add initial IPv6 support with UseDualStackEndpoint configuration option
|
||||
* Fix CPU utilization issue for instances with thousands of network interfaces
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Oct 1 09:09:08 UTC 2025 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
|
||||
|
||||
- Update to version 3.3.3185.0
|
||||
* Add IMDS retry count to account for EC2 droplet refresh
|
||||
* Fix duplicate uid error logging in MDS module
|
||||
* Update aws:Domainjoin plugin logging from Log4Net to NLog
|
||||
* Upgrade Go version to 1.24.7
|
||||
* Update github.com/go-git/go-git/v5 to 5.15.0
|
||||
* Update golang.org/x/crypto to v0.37.0
|
||||
* Update golang.org/x/net to v0.39.0
|
||||
* Update golang.org/x/sys to v0.32.0
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Sep 2 10:55:44 UTC 2025 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
|
||||
|
||||
- Update to version 3.3.3050.0
|
||||
* Add EU sovereign cloud S3 endpoint for DownloadContent plugin
|
||||
* Add configurable credential rotation max backoff interval
|
||||
- from version 3.3.2958.0
|
||||
* Migrate from twinj/uuid to google/uuid library
|
||||
* Allow newer agent versions to be installed when deploying on Greengrass
|
||||
* Harden function to remove non-admin run command documents in execution path
|
||||
* Fix macOS credential refresher test issue due to missing Debugf from serialport skip file
|
||||
* Enhance testability of custom certificate usage in debug SSM Agent builds
|
||||
* Decouple serial port from startup and add credential refresher serialport logging
|
||||
* Add GlobalEnhancedTelemetryEnabled config to README
|
||||
* Add cloudwatch logs endpoint configuration to optional config for agent
|
||||
* Update Greengrass component version
|
||||
- from version 3.3.2746.0
|
||||
* Add file privilege check before processing document state file
|
||||
* Storing AWS document interpolation ENV_VAR types as environment variables
|
||||
* Throw explicit error when running local cli as non-priviledged user
|
||||
* Harden telemetry dynamic config folder permissions
|
||||
* Add configuration option for HandshakeTimeout
|
||||
- from version 3.3.2656.0
|
||||
* Improve unit tests
|
||||
* Add setup for emitting telemetry logs and metrics
|
||||
* Add initial selection of error logs to emit to telemetry
|
||||
* Simplify checkstyle and import organization in build scripts
|
||||
* Update golang.org/x/net from v0.37.0 to v0.38.0
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Jun 2 09:26:04 UTC 2025 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
|
||||
|
||||
- Update to version 3.3.2471.0
|
||||
* Improve unit tests
|
||||
* Agent hibernation reason is logged to EC2 system logs
|
||||
* Add metrics for the EC2Detector and IMDS EC2 status findings
|
||||
* Change Linux DomainJoin plugin parameter KeepHostName to accept
|
||||
both boolean and string
|
||||
* Upgrade GoLang to version 1.23.8
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Apr 15 10:41:20 UTC 2025 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
|
||||
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
#
|
||||
# spec file for package amazon-ssm-agent
|
||||
#
|
||||
# Copyright (c) 2025 SUSE LLC
|
||||
# Copyright (c) 2026 SUSE LLC and contributors
|
||||
#
|
||||
# All modifications and additions to the file contributed by third parties
|
||||
# remain the property of their copyright owners, unless otherwise agreed
|
||||
@@ -17,14 +17,18 @@
|
||||
|
||||
|
||||
Name: amazon-ssm-agent
|
||||
Version: 3.3.2299.0
|
||||
Version: 3.3.3598.0
|
||||
Release: 0
|
||||
Summary: Amazon Remote System Config Management
|
||||
License: Apache-2.0
|
||||
Group: System/Management
|
||||
URL: https://github.com/aws/amazon-ssm-agent
|
||||
Source0: https://github.com/aws/amazon-ssm-agent/archive/%{version}.tar.gz#/%{name}-%{version}.tar.gz
|
||||
BuildRequires: go >= 1.21
|
||||
# PATCH-FIX-UPSTREAM - Fix an SSH client process terminating when receiving an unexpected
|
||||
# message type in response to a key listing or signing request (CVE-2025-47913)
|
||||
# Partial patch taken from https://cs.opensource.google/go/x/crypto/+/559e062ce8bfd6a39925294620b50906ca2a6f95
|
||||
Patch0: CVE-2025-47913.patch
|
||||
BuildRequires: go >= 1.24
|
||||
BuildRequires: pkgconfig(systemd)
|
||||
Requires: systemd
|
||||
Provides: bundled(golang(github.com/Microsoft/go-winio))
|
||||
@@ -95,6 +99,9 @@ environment that are configured for Systems Manager.
|
||||
|
||||
%prep
|
||||
%setup -q
|
||||
pushd vendor/golang.org/x/crypto
|
||||
%patch -P0 -p1
|
||||
popd
|
||||
sed -i -e 's#const[ \s]*Version.*#const Version = "%{version}"#g' agent/version/version.go
|
||||
sed -i 's#/bin/#/sbin/#' packaging/linux/amazon-ssm-agent.service
|
||||
sed -i 's#var defaultWorkerPath = "/usr/bin/"#var defaultWorkerPath = "/usr/sbin/"#' agent/appconfig/constants_unix.go
|
||||
|
||||
Reference in New Issue
Block a user