Accepting request 1099856 from network

- Update to openssh 9.3p2
  * No changes for askpass, see main package changelog for
    details
- Update to openssh 9.3p2 (bsc#1213504, CVE-2023-38408):
  Security
  ========
  Fix CVE-2023-38408 - a condition where specific libaries loaded via
  ssh-agent(1)'s PKCS#11 support could be abused to achieve remote
  code execution via a forwarded agent socket if the following
  conditions are met:
  * Exploitation requires the presence of specific libraries on
    the victim system.
  * Remote exploitation requires that the agent was forwarded
    to an attacker-controlled system.
  Exploitation can also be prevented by starting ssh-agent(1) with an
  empty PKCS#11/FIDO allowlist (ssh-agent -P '') or by configuring
  an allowlist that contains only specific provider libraries.
  This vulnerability was discovered and demonstrated to be exploitable
  by the Qualys Security Advisory team. 
 
  In addition to removing the main precondition for exploitation,
  this release removes the ability for remote ssh-agent(1) clients
  to load PKCS#11 modules by default (see below).
  Potentially-incompatible changes
  --------------------------------
   * ssh-agent(8): the agent will now refuse requests to load PKCS#11
     modules issued by remote clients by default. A flag has been added
     to restore the previous behaviour "-Oallow-remote-pkcs11".
     Note that ssh-agent(8) depends on the SSH client to identify
     requests that are remote. The OpenSSH >=8.9 ssh(1) client does
     this, but forwarding access to an agent socket using other tools
     may circumvent this restriction. (forwarded request 1099810 from simotek)

OBS-URL: https://build.opensuse.org/request/show/1099856
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssh?expand=0&rev=165

openssh-9.3p1.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:e9baba7701a76a51f3d85a62c383a3c9dcd97fa900b859bc7db114c1868af8a8
-size 1856839

openssh-9.3p1.tar.gz.asc

@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCgAdFiEEcWi5g4FaXu9ZpK39Kj9BTnNgYLoFAmQSOZYACgkQKj9BTnNg
-YLrKJg//fSKjNlnb3l75ZwLoWhwpEZQp7poEq5qCCRNvu4dleuU1sMxNPl9/Ow1i
-iZVW67OGNjIsJ7FJmHNF3UOgkH50c6OHivmDaTywDtyCLZvUVmaSfOe0own8s8KB
-OV7czHqd9giHQlGWWTxg9eVAfOaqpzXugkzo7UoTVqEqJ3Ru/FQ4RGSIjTGzuM/0
-EC+JkKyO+0pP3mr4XfZdxsbYc9WVEG9ZIlT153y9I5MfiWM1SC/0gg4NLz025Xaa
-ment5c+BdhIwYjC2f5F/9s0J6+lFHiFBHLQVGx4qq/Tx3XGfP0xBcS1V9Mkhyjzf
-ZXj6acQ+T50H8p3OWZyrWn11YNtGjzkwuQWrj8Ue4NPFGqgPbANeH32yOiIWpIh0
-CtpGnRGQP1zF14hEAR5gKangTNCp/IVMBhIs4UL3zI6uS2yRLTGOWcgrnjJv26vg
-jb2WmL0AeqYLZw41pbq+zmVizhhg8qk7KPQQsFxnalSFHz35tnHN8oQD5TCDxqtu
-f/roTbZhW/nnlaMlEAnB09LO6e1nyDIcJ6hj0CK9cSgIn8pb1q9GdjYx5PNKwsoa
-NuD+bqlzF5krjiOHJh+vDw0GKFusflL46Dmry5a4K0vLUGBn6uAUPtuwMdBsLofU
-k3a4zBMlOCm6o3WqgAug4fSwCfYkJ9Dc+FaedGC1X4fys4lV/6k=
-=deVJ
------END PGP SIGNATURE-----

openssh-9.3p2.tar.gz.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEcWi5g4FaXu9ZpK39Kj9BTnNgYLoFAmS3g5wACgkQKj9BTnNg
+YLrMYw//evjl0mlSnycb85tWASdBWQh28xQCouuqYhDhY+8kt6YpEx34r4zuXvL3
+pEN/F1ancNXwvlRPct/tF3OEQVpKHZqiRyfWuHHURSBLaGf9V1b+gQgfM4lEQNtH
+8PqRj+ur8E2GMGxvxuDKPcfduCTFrjbPJ/0OCgquuEteSM6dgcClT7q5SKKpTVSa
+jV0PaXeYgnaa+u+4GsH01oUteyJNmhvEa4T+fC1RDrct1DiieUQNkaw3pwMqYXA5
+8PldGatn/npNM5ZFW4uxTjbib2yJXNIEhUIzo2A00XWRG3jIArtRJwJ6ZSBahUE4
+PyasPMhJVIxIaKy5OL4s4FAd1goe2hBlPzmDhUJOhpFniLIZ9dS5AGaX4i2TjsZl
+iaIwtE2VLIn3peKZPvm7SCBqyBoiPKC0BfHmVOYs8c1W5Q30jE+kCcTDrJhHl32/
+kN5khCHIg6bUc3JzFZM7Ib0tshNP5AY0pyduSEF7SPOB5Zz2E+EwkDmkrnw9FoMh
+LCvSERDkBdxWD7okUdb0ARr564lShRjd2UTFZqv3Py4nVfvnP19RgCfakNg0CZ3w
+VoLytn8OQ/joAx4GMWox6g5ieYqeQ2kLzXYfXObTlDIjxirFeiBYPh6Ln5oGl81/
+jx/172HqCzRDgUogtZ/BTwiLDEzTHG7YS5RDIUYkqEGkkjjj6gg=
+=yVD2
+-----END PGP SIGNATURE-----

openssh-askpass-gnome.changes

@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Fri Jul 21 05:13:56 UTC 2023 - Simon Lees <sflees@suse.de>
+
+- Update to openssh 9.3p2
+  * No changes for askpass, see main package changelog for
+    details
+
 -------------------------------------------------------------------
 Sun May 28 09:16:44 UTC 2023 - Andreas Stieger <andreas.stieger@gmx.de>
 

openssh-askpass-gnome.spec

@@ -18,7 +18,7 @@
 
 %define _name openssh
 Name:           openssh-askpass-gnome
-Version:        9.3p1
+Version:        9.3p2
 Release:        0
 Summary:        A GNOME-Based Passphrase Dialog for OpenSSH
 License:        BSD-2-Clause

openssh.changes

@@ -1,3 +1,44 @@
+-------------------------------------------------------------------
+Fri Jul 21 02:48:58 UTC 2023 - Simon Lees <sflees@suse.de>
+
+- Update to openssh 9.3p2 (bsc#1213504, CVE-2023-38408):
+  Security
+  ========
+
+  Fix CVE-2023-38408 - a condition where specific libaries loaded via
+  ssh-agent(1)'s PKCS#11 support could be abused to achieve remote
+  code execution via a forwarded agent socket if the following
+  conditions are met:
+
+  * Exploitation requires the presence of specific libraries on
+    the victim system.
+  * Remote exploitation requires that the agent was forwarded
+    to an attacker-controlled system.
+
+  Exploitation can also be prevented by starting ssh-agent(1) with an
+  empty PKCS#11/FIDO allowlist (ssh-agent -P '') or by configuring
+  an allowlist that contains only specific provider libraries.
+
+  This vulnerability was discovered and demonstrated to be exploitable
+  by the Qualys Security Advisory team. 
+ 
+  In addition to removing the main precondition for exploitation,
+  this release removes the ability for remote ssh-agent(1) clients
+  to load PKCS#11 modules by default (see below).
+
+  Potentially-incompatible changes
+  --------------------------------
+
+   * ssh-agent(8): the agent will now refuse requests to load PKCS#11
+     modules issued by remote clients by default. A flag has been added
+     to restore the previous behaviour "-Oallow-remote-pkcs11".
+
+     Note that ssh-agent(8) depends on the SSH client to identify
+     requests that are remote. The OpenSSH >=8.9 ssh(1) client does
+     this, but forwarding access to an agent socket using other tools
+     may circumvent this restriction.
+
+
 -------------------------------------------------------------------
 Thu May 11 07:01:54 UTC 2023 - Antonio Larrosa <alarrosa@suse.com>
 

openssh.spec

@@ -37,7 +37,7 @@
   %define _fillupdir %{_localstatedir}/adm/fillup-templates
 %endif
 Name:           openssh
-Version:        9.3p1
+Version:        9.3p2
 Release:        0
 Summary:        Secure Shell Client and Server (Remote Login Program)
 License:        BSD-2-Clause AND MIT