diff --git a/openssh-9.3p1.tar.gz b/openssh-9.3p1.tar.gz deleted file mode 100644 index f703f3c..0000000 --- a/openssh-9.3p1.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:e9baba7701a76a51f3d85a62c383a3c9dcd97fa900b859bc7db114c1868af8a8 -size 1856839 diff --git a/openssh-9.3p1.tar.gz.asc b/openssh-9.3p1.tar.gz.asc deleted file mode 100644 index b3f840c..0000000 --- a/openssh-9.3p1.tar.gz.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCgAdFiEEcWi5g4FaXu9ZpK39Kj9BTnNgYLoFAmQSOZYACgkQKj9BTnNg -YLrKJg//fSKjNlnb3l75ZwLoWhwpEZQp7poEq5qCCRNvu4dleuU1sMxNPl9/Ow1i -iZVW67OGNjIsJ7FJmHNF3UOgkH50c6OHivmDaTywDtyCLZvUVmaSfOe0own8s8KB -OV7czHqd9giHQlGWWTxg9eVAfOaqpzXugkzo7UoTVqEqJ3Ru/FQ4RGSIjTGzuM/0 -EC+JkKyO+0pP3mr4XfZdxsbYc9WVEG9ZIlT153y9I5MfiWM1SC/0gg4NLz025Xaa -ment5c+BdhIwYjC2f5F/9s0J6+lFHiFBHLQVGx4qq/Tx3XGfP0xBcS1V9Mkhyjzf -ZXj6acQ+T50H8p3OWZyrWn11YNtGjzkwuQWrj8Ue4NPFGqgPbANeH32yOiIWpIh0 -CtpGnRGQP1zF14hEAR5gKangTNCp/IVMBhIs4UL3zI6uS2yRLTGOWcgrnjJv26vg -jb2WmL0AeqYLZw41pbq+zmVizhhg8qk7KPQQsFxnalSFHz35tnHN8oQD5TCDxqtu -f/roTbZhW/nnlaMlEAnB09LO6e1nyDIcJ6hj0CK9cSgIn8pb1q9GdjYx5PNKwsoa -NuD+bqlzF5krjiOHJh+vDw0GKFusflL46Dmry5a4K0vLUGBn6uAUPtuwMdBsLofU -k3a4zBMlOCm6o3WqgAug4fSwCfYkJ9Dc+FaedGC1X4fys4lV/6k= -=deVJ ------END PGP SIGNATURE----- diff --git a/openssh-9.3p2.tar.gz b/openssh-9.3p2.tar.gz new file mode 100644 index 0000000..09b3535 --- /dev/null +++ b/openssh-9.3p2.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:200ebe147f6cb3f101fd0cdf9e02442af7ddca298dffd9f456878e7ccac676e8 +size 1835850 diff --git a/openssh-9.3p2.tar.gz.asc b/openssh-9.3p2.tar.gz.asc new file mode 100644 index 0000000..80f2f32 --- /dev/null +++ b/openssh-9.3p2.tar.gz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEEcWi5g4FaXu9ZpK39Kj9BTnNgYLoFAmS3g5wACgkQKj9BTnNg +YLrMYw//evjl0mlSnycb85tWASdBWQh28xQCouuqYhDhY+8kt6YpEx34r4zuXvL3 +pEN/F1ancNXwvlRPct/tF3OEQVpKHZqiRyfWuHHURSBLaGf9V1b+gQgfM4lEQNtH +8PqRj+ur8E2GMGxvxuDKPcfduCTFrjbPJ/0OCgquuEteSM6dgcClT7q5SKKpTVSa +jV0PaXeYgnaa+u+4GsH01oUteyJNmhvEa4T+fC1RDrct1DiieUQNkaw3pwMqYXA5 +8PldGatn/npNM5ZFW4uxTjbib2yJXNIEhUIzo2A00XWRG3jIArtRJwJ6ZSBahUE4 +PyasPMhJVIxIaKy5OL4s4FAd1goe2hBlPzmDhUJOhpFniLIZ9dS5AGaX4i2TjsZl +iaIwtE2VLIn3peKZPvm7SCBqyBoiPKC0BfHmVOYs8c1W5Q30jE+kCcTDrJhHl32/ +kN5khCHIg6bUc3JzFZM7Ib0tshNP5AY0pyduSEF7SPOB5Zz2E+EwkDmkrnw9FoMh +LCvSERDkBdxWD7okUdb0ARr564lShRjd2UTFZqv3Py4nVfvnP19RgCfakNg0CZ3w +VoLytn8OQ/joAx4GMWox6g5ieYqeQ2kLzXYfXObTlDIjxirFeiBYPh6Ln5oGl81/ +jx/172HqCzRDgUogtZ/BTwiLDEzTHG7YS5RDIUYkqEGkkjjj6gg= +=yVD2 +-----END PGP SIGNATURE----- diff --git a/openssh-askpass-gnome.changes b/openssh-askpass-gnome.changes index 7cb8649..3639652 100644 --- a/openssh-askpass-gnome.changes +++ b/openssh-askpass-gnome.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Fri Jul 21 05:13:56 UTC 2023 - Simon Lees + +- Update to openssh 9.3p2 + * No changes for askpass, see main package changelog for + details + ------------------------------------------------------------------- Sun May 28 09:16:44 UTC 2023 - Andreas Stieger diff --git a/openssh-askpass-gnome.spec b/openssh-askpass-gnome.spec index 1324e72..51a1e4b 100644 --- a/openssh-askpass-gnome.spec +++ b/openssh-askpass-gnome.spec @@ -18,7 +18,7 @@ %define _name openssh Name: openssh-askpass-gnome -Version: 9.3p1 +Version: 9.3p2 Release: 0 Summary: A GNOME-Based Passphrase Dialog for OpenSSH License: BSD-2-Clause diff --git a/openssh.changes b/openssh.changes index b71f4aa..9e04114 100644 --- a/openssh.changes +++ b/openssh.changes @@ -1,3 +1,44 @@ +------------------------------------------------------------------- +Fri Jul 21 02:48:58 UTC 2023 - Simon Lees + +- Update to openssh 9.3p2 (bsc#1213504, CVE-2023-38408): + Security + ======== + + Fix CVE-2023-38408 - a condition where specific libaries loaded via + ssh-agent(1)'s PKCS#11 support could be abused to achieve remote + code execution via a forwarded agent socket if the following + conditions are met: + + * Exploitation requires the presence of specific libraries on + the victim system. + * Remote exploitation requires that the agent was forwarded + to an attacker-controlled system. + + Exploitation can also be prevented by starting ssh-agent(1) with an + empty PKCS#11/FIDO allowlist (ssh-agent -P '') or by configuring + an allowlist that contains only specific provider libraries. + + This vulnerability was discovered and demonstrated to be exploitable + by the Qualys Security Advisory team. + + In addition to removing the main precondition for exploitation, + this release removes the ability for remote ssh-agent(1) clients + to load PKCS#11 modules by default (see below). + + Potentially-incompatible changes + -------------------------------- + + * ssh-agent(8): the agent will now refuse requests to load PKCS#11 + modules issued by remote clients by default. A flag has been added + to restore the previous behaviour "-Oallow-remote-pkcs11". + + Note that ssh-agent(8) depends on the SSH client to identify + requests that are remote. The OpenSSH >=8.9 ssh(1) client does + this, but forwarding access to an agent socket using other tools + may circumvent this restriction. + + ------------------------------------------------------------------- Thu May 11 07:01:54 UTC 2023 - Antonio Larrosa diff --git a/openssh.spec b/openssh.spec index 99de630..d0bb5b7 100644 --- a/openssh.spec +++ b/openssh.spec @@ -37,7 +37,7 @@ %define _fillupdir %{_localstatedir}/adm/fillup-templates %endif Name: openssh -Version: 9.3p1 +Version: 9.3p2 Release: 0 Summary: Secure Shell Client and Server (Remote Login Program) License: BSD-2-Clause AND MIT