From 67a17999e66d06fcd492f2f1365c11c98701081720a07183fbfd9cd5b719326d Mon Sep 17 00:00:00 2001 From: Marcus Meissner Date: Fri, 21 Jul 2023 07:35:33 +0000 Subject: [PATCH] Accepting request 1099810 from home:simotek:branches:network - Update to openssh 9.3p2 * No changes for askpass, see main package changelog for details - Update to openssh 9.3p2 (bsc#1213504, CVE-2023-38408): Security ======== Fix CVE-2023-38408 - a condition where specific libaries loaded via ssh-agent(1)'s PKCS#11 support could be abused to achieve remote code execution via a forwarded agent socket if the following conditions are met: * Exploitation requires the presence of specific libraries on the victim system. * Remote exploitation requires that the agent was forwarded to an attacker-controlled system. Exploitation can also be prevented by starting ssh-agent(1) with an empty PKCS#11/FIDO allowlist (ssh-agent -P '') or by configuring an allowlist that contains only specific provider libraries. This vulnerability was discovered and demonstrated to be exploitable by the Qualys Security Advisory team. In addition to removing the main precondition for exploitation, this release removes the ability for remote ssh-agent(1) clients to load PKCS#11 modules by default (see below). Potentially-incompatible changes -------------------------------- * ssh-agent(8): the agent will now refuse requests to load PKCS#11 modules issued by remote clients by default. A flag has been added to restore the previous behaviour "-Oallow-remote-pkcs11". Note that ssh-agent(8) depends on the SSH client to identify requests that are remote. The OpenSSH >=8.9 ssh(1) client does this, but forwarding access to an agent socket using other tools may circumvent this restriction. OBS-URL: https://build.opensuse.org/request/show/1099810 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=249 --- openssh-9.3p1.tar.gz | 3 --- openssh-9.3p1.tar.gz.asc | 16 -------------- openssh-9.3p2.tar.gz | 3 +++ openssh-9.3p2.tar.gz.asc | 16 ++++++++++++++ openssh-askpass-gnome.changes | 7 ++++++ openssh-askpass-gnome.spec | 2 +- openssh.changes | 41 +++++++++++++++++++++++++++++++++++ openssh.spec | 2 +- 8 files changed, 69 insertions(+), 21 deletions(-) delete mode 100644 openssh-9.3p1.tar.gz delete mode 100644 openssh-9.3p1.tar.gz.asc create mode 100644 openssh-9.3p2.tar.gz create mode 100644 openssh-9.3p2.tar.gz.asc diff --git a/openssh-9.3p1.tar.gz b/openssh-9.3p1.tar.gz deleted file mode 100644 index f703f3c..0000000 --- a/openssh-9.3p1.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:e9baba7701a76a51f3d85a62c383a3c9dcd97fa900b859bc7db114c1868af8a8 -size 1856839 diff --git a/openssh-9.3p1.tar.gz.asc b/openssh-9.3p1.tar.gz.asc deleted file mode 100644 index b3f840c..0000000 --- a/openssh-9.3p1.tar.gz.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCgAdFiEEcWi5g4FaXu9ZpK39Kj9BTnNgYLoFAmQSOZYACgkQKj9BTnNg -YLrKJg//fSKjNlnb3l75ZwLoWhwpEZQp7poEq5qCCRNvu4dleuU1sMxNPl9/Ow1i -iZVW67OGNjIsJ7FJmHNF3UOgkH50c6OHivmDaTywDtyCLZvUVmaSfOe0own8s8KB -OV7czHqd9giHQlGWWTxg9eVAfOaqpzXugkzo7UoTVqEqJ3Ru/FQ4RGSIjTGzuM/0 -EC+JkKyO+0pP3mr4XfZdxsbYc9WVEG9ZIlT153y9I5MfiWM1SC/0gg4NLz025Xaa -ment5c+BdhIwYjC2f5F/9s0J6+lFHiFBHLQVGx4qq/Tx3XGfP0xBcS1V9Mkhyjzf -ZXj6acQ+T50H8p3OWZyrWn11YNtGjzkwuQWrj8Ue4NPFGqgPbANeH32yOiIWpIh0 -CtpGnRGQP1zF14hEAR5gKangTNCp/IVMBhIs4UL3zI6uS2yRLTGOWcgrnjJv26vg -jb2WmL0AeqYLZw41pbq+zmVizhhg8qk7KPQQsFxnalSFHz35tnHN8oQD5TCDxqtu -f/roTbZhW/nnlaMlEAnB09LO6e1nyDIcJ6hj0CK9cSgIn8pb1q9GdjYx5PNKwsoa -NuD+bqlzF5krjiOHJh+vDw0GKFusflL46Dmry5a4K0vLUGBn6uAUPtuwMdBsLofU -k3a4zBMlOCm6o3WqgAug4fSwCfYkJ9Dc+FaedGC1X4fys4lV/6k= -=deVJ ------END PGP SIGNATURE----- diff --git a/openssh-9.3p2.tar.gz b/openssh-9.3p2.tar.gz new file mode 100644 index 0000000..09b3535 --- /dev/null +++ b/openssh-9.3p2.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:200ebe147f6cb3f101fd0cdf9e02442af7ddca298dffd9f456878e7ccac676e8 +size 1835850 diff --git a/openssh-9.3p2.tar.gz.asc b/openssh-9.3p2.tar.gz.asc new file mode 100644 index 0000000..80f2f32 --- /dev/null +++ b/openssh-9.3p2.tar.gz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEEcWi5g4FaXu9ZpK39Kj9BTnNgYLoFAmS3g5wACgkQKj9BTnNg +YLrMYw//evjl0mlSnycb85tWASdBWQh28xQCouuqYhDhY+8kt6YpEx34r4zuXvL3 +pEN/F1ancNXwvlRPct/tF3OEQVpKHZqiRyfWuHHURSBLaGf9V1b+gQgfM4lEQNtH +8PqRj+ur8E2GMGxvxuDKPcfduCTFrjbPJ/0OCgquuEteSM6dgcClT7q5SKKpTVSa +jV0PaXeYgnaa+u+4GsH01oUteyJNmhvEa4T+fC1RDrct1DiieUQNkaw3pwMqYXA5 +8PldGatn/npNM5ZFW4uxTjbib2yJXNIEhUIzo2A00XWRG3jIArtRJwJ6ZSBahUE4 +PyasPMhJVIxIaKy5OL4s4FAd1goe2hBlPzmDhUJOhpFniLIZ9dS5AGaX4i2TjsZl +iaIwtE2VLIn3peKZPvm7SCBqyBoiPKC0BfHmVOYs8c1W5Q30jE+kCcTDrJhHl32/ +kN5khCHIg6bUc3JzFZM7Ib0tshNP5AY0pyduSEF7SPOB5Zz2E+EwkDmkrnw9FoMh +LCvSERDkBdxWD7okUdb0ARr564lShRjd2UTFZqv3Py4nVfvnP19RgCfakNg0CZ3w +VoLytn8OQ/joAx4GMWox6g5ieYqeQ2kLzXYfXObTlDIjxirFeiBYPh6Ln5oGl81/ +jx/172HqCzRDgUogtZ/BTwiLDEzTHG7YS5RDIUYkqEGkkjjj6gg= +=yVD2 +-----END PGP SIGNATURE----- diff --git a/openssh-askpass-gnome.changes b/openssh-askpass-gnome.changes index 7cb8649..3639652 100644 --- a/openssh-askpass-gnome.changes +++ b/openssh-askpass-gnome.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Fri Jul 21 05:13:56 UTC 2023 - Simon Lees + +- Update to openssh 9.3p2 + * No changes for askpass, see main package changelog for + details + ------------------------------------------------------------------- Sun May 28 09:16:44 UTC 2023 - Andreas Stieger diff --git a/openssh-askpass-gnome.spec b/openssh-askpass-gnome.spec index 1324e72..51a1e4b 100644 --- a/openssh-askpass-gnome.spec +++ b/openssh-askpass-gnome.spec @@ -18,7 +18,7 @@ %define _name openssh Name: openssh-askpass-gnome -Version: 9.3p1 +Version: 9.3p2 Release: 0 Summary: A GNOME-Based Passphrase Dialog for OpenSSH License: BSD-2-Clause diff --git a/openssh.changes b/openssh.changes index b71f4aa..9e04114 100644 --- a/openssh.changes +++ b/openssh.changes @@ -1,3 +1,44 @@ +------------------------------------------------------------------- +Fri Jul 21 02:48:58 UTC 2023 - Simon Lees + +- Update to openssh 9.3p2 (bsc#1213504, CVE-2023-38408): + Security + ======== + + Fix CVE-2023-38408 - a condition where specific libaries loaded via + ssh-agent(1)'s PKCS#11 support could be abused to achieve remote + code execution via a forwarded agent socket if the following + conditions are met: + + * Exploitation requires the presence of specific libraries on + the victim system. + * Remote exploitation requires that the agent was forwarded + to an attacker-controlled system. + + Exploitation can also be prevented by starting ssh-agent(1) with an + empty PKCS#11/FIDO allowlist (ssh-agent -P '') or by configuring + an allowlist that contains only specific provider libraries. + + This vulnerability was discovered and demonstrated to be exploitable + by the Qualys Security Advisory team. + + In addition to removing the main precondition for exploitation, + this release removes the ability for remote ssh-agent(1) clients + to load PKCS#11 modules by default (see below). + + Potentially-incompatible changes + -------------------------------- + + * ssh-agent(8): the agent will now refuse requests to load PKCS#11 + modules issued by remote clients by default. A flag has been added + to restore the previous behaviour "-Oallow-remote-pkcs11". + + Note that ssh-agent(8) depends on the SSH client to identify + requests that are remote. The OpenSSH >=8.9 ssh(1) client does + this, but forwarding access to an agent socket using other tools + may circumvent this restriction. + + ------------------------------------------------------------------- Thu May 11 07:01:54 UTC 2023 - Antonio Larrosa diff --git a/openssh.spec b/openssh.spec index 99de630..d0bb5b7 100644 --- a/openssh.spec +++ b/openssh.spec @@ -37,7 +37,7 @@ %define _fillupdir %{_localstatedir}/adm/fillup-templates %endif Name: openssh -Version: 9.3p1 +Version: 9.3p2 Release: 0 Summary: Secure Shell Client and Server (Remote Login Program) License: BSD-2-Clause AND MIT