Accepting request 1099856 from network
- Update to openssh 9.3p2 * No changes for askpass, see main package changelog for details - Update to openssh 9.3p2 (bsc#1213504, CVE-2023-38408): Security ======== Fix CVE-2023-38408 - a condition where specific libaries loaded via ssh-agent(1)'s PKCS#11 support could be abused to achieve remote code execution via a forwarded agent socket if the following conditions are met: * Exploitation requires the presence of specific libraries on the victim system. * Remote exploitation requires that the agent was forwarded to an attacker-controlled system. Exploitation can also be prevented by starting ssh-agent(1) with an empty PKCS#11/FIDO allowlist (ssh-agent -P '') or by configuring an allowlist that contains only specific provider libraries. This vulnerability was discovered and demonstrated to be exploitable by the Qualys Security Advisory team. In addition to removing the main precondition for exploitation, this release removes the ability for remote ssh-agent(1) clients to load PKCS#11 modules by default (see below). Potentially-incompatible changes -------------------------------- * ssh-agent(8): the agent will now refuse requests to load PKCS#11 modules issued by remote clients by default. A flag has been added to restore the previous behaviour "-Oallow-remote-pkcs11". Note that ssh-agent(8) depends on the SSH client to identify requests that are remote. The OpenSSH >=8.9 ssh(1) client does this, but forwarding access to an agent socket using other tools may circumvent this restriction. (forwarded request 1099810 from simotek) OBS-URL: https://build.opensuse.org/request/show/1099856 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssh?expand=0&rev=165
This commit is contained in:
commit
b77a1e6444
@ -1,3 +0,0 @@
|
|||||||
version https://git-lfs.github.com/spec/v1
|
|
||||||
oid sha256:e9baba7701a76a51f3d85a62c383a3c9dcd97fa900b859bc7db114c1868af8a8
|
|
||||||
size 1856839
|
|
@ -1,16 +0,0 @@
|
|||||||
-----BEGIN PGP SIGNATURE-----
|
|
||||||
|
|
||||||
iQIzBAABCgAdFiEEcWi5g4FaXu9ZpK39Kj9BTnNgYLoFAmQSOZYACgkQKj9BTnNg
|
|
||||||
YLrKJg//fSKjNlnb3l75ZwLoWhwpEZQp7poEq5qCCRNvu4dleuU1sMxNPl9/Ow1i
|
|
||||||
iZVW67OGNjIsJ7FJmHNF3UOgkH50c6OHivmDaTywDtyCLZvUVmaSfOe0own8s8KB
|
|
||||||
OV7czHqd9giHQlGWWTxg9eVAfOaqpzXugkzo7UoTVqEqJ3Ru/FQ4RGSIjTGzuM/0
|
|
||||||
EC+JkKyO+0pP3mr4XfZdxsbYc9WVEG9ZIlT153y9I5MfiWM1SC/0gg4NLz025Xaa
|
|
||||||
ment5c+BdhIwYjC2f5F/9s0J6+lFHiFBHLQVGx4qq/Tx3XGfP0xBcS1V9Mkhyjzf
|
|
||||||
ZXj6acQ+T50H8p3OWZyrWn11YNtGjzkwuQWrj8Ue4NPFGqgPbANeH32yOiIWpIh0
|
|
||||||
CtpGnRGQP1zF14hEAR5gKangTNCp/IVMBhIs4UL3zI6uS2yRLTGOWcgrnjJv26vg
|
|
||||||
jb2WmL0AeqYLZw41pbq+zmVizhhg8qk7KPQQsFxnalSFHz35tnHN8oQD5TCDxqtu
|
|
||||||
f/roTbZhW/nnlaMlEAnB09LO6e1nyDIcJ6hj0CK9cSgIn8pb1q9GdjYx5PNKwsoa
|
|
||||||
NuD+bqlzF5krjiOHJh+vDw0GKFusflL46Dmry5a4K0vLUGBn6uAUPtuwMdBsLofU
|
|
||||||
k3a4zBMlOCm6o3WqgAug4fSwCfYkJ9Dc+FaedGC1X4fys4lV/6k=
|
|
||||||
=deVJ
|
|
||||||
-----END PGP SIGNATURE-----
|
|
BIN
openssh-9.3p2.tar.gz
(Stored with Git LFS)
Normal file
BIN
openssh-9.3p2.tar.gz
(Stored with Git LFS)
Normal file
Binary file not shown.
16
openssh-9.3p2.tar.gz.asc
Normal file
16
openssh-9.3p2.tar.gz.asc
Normal file
@ -0,0 +1,16 @@
|
|||||||
|
-----BEGIN PGP SIGNATURE-----
|
||||||
|
|
||||||
|
iQIzBAABCgAdFiEEcWi5g4FaXu9ZpK39Kj9BTnNgYLoFAmS3g5wACgkQKj9BTnNg
|
||||||
|
YLrMYw//evjl0mlSnycb85tWASdBWQh28xQCouuqYhDhY+8kt6YpEx34r4zuXvL3
|
||||||
|
pEN/F1ancNXwvlRPct/tF3OEQVpKHZqiRyfWuHHURSBLaGf9V1b+gQgfM4lEQNtH
|
||||||
|
8PqRj+ur8E2GMGxvxuDKPcfduCTFrjbPJ/0OCgquuEteSM6dgcClT7q5SKKpTVSa
|
||||||
|
jV0PaXeYgnaa+u+4GsH01oUteyJNmhvEa4T+fC1RDrct1DiieUQNkaw3pwMqYXA5
|
||||||
|
8PldGatn/npNM5ZFW4uxTjbib2yJXNIEhUIzo2A00XWRG3jIArtRJwJ6ZSBahUE4
|
||||||
|
PyasPMhJVIxIaKy5OL4s4FAd1goe2hBlPzmDhUJOhpFniLIZ9dS5AGaX4i2TjsZl
|
||||||
|
iaIwtE2VLIn3peKZPvm7SCBqyBoiPKC0BfHmVOYs8c1W5Q30jE+kCcTDrJhHl32/
|
||||||
|
kN5khCHIg6bUc3JzFZM7Ib0tshNP5AY0pyduSEF7SPOB5Zz2E+EwkDmkrnw9FoMh
|
||||||
|
LCvSERDkBdxWD7okUdb0ARr564lShRjd2UTFZqv3Py4nVfvnP19RgCfakNg0CZ3w
|
||||||
|
VoLytn8OQ/joAx4GMWox6g5ieYqeQ2kLzXYfXObTlDIjxirFeiBYPh6Ln5oGl81/
|
||||||
|
jx/172HqCzRDgUogtZ/BTwiLDEzTHG7YS5RDIUYkqEGkkjjj6gg=
|
||||||
|
=yVD2
|
||||||
|
-----END PGP SIGNATURE-----
|
@ -1,3 +1,10 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Fri Jul 21 05:13:56 UTC 2023 - Simon Lees <sflees@suse.de>
|
||||||
|
|
||||||
|
- Update to openssh 9.3p2
|
||||||
|
* No changes for askpass, see main package changelog for
|
||||||
|
details
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Sun May 28 09:16:44 UTC 2023 - Andreas Stieger <andreas.stieger@gmx.de>
|
Sun May 28 09:16:44 UTC 2023 - Andreas Stieger <andreas.stieger@gmx.de>
|
||||||
|
|
||||||
|
@ -18,7 +18,7 @@
|
|||||||
|
|
||||||
%define _name openssh
|
%define _name openssh
|
||||||
Name: openssh-askpass-gnome
|
Name: openssh-askpass-gnome
|
||||||
Version: 9.3p1
|
Version: 9.3p2
|
||||||
Release: 0
|
Release: 0
|
||||||
Summary: A GNOME-Based Passphrase Dialog for OpenSSH
|
Summary: A GNOME-Based Passphrase Dialog for OpenSSH
|
||||||
License: BSD-2-Clause
|
License: BSD-2-Clause
|
||||||
|
@ -1,3 +1,44 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Fri Jul 21 02:48:58 UTC 2023 - Simon Lees <sflees@suse.de>
|
||||||
|
|
||||||
|
- Update to openssh 9.3p2 (bsc#1213504, CVE-2023-38408):
|
||||||
|
Security
|
||||||
|
========
|
||||||
|
|
||||||
|
Fix CVE-2023-38408 - a condition where specific libaries loaded via
|
||||||
|
ssh-agent(1)'s PKCS#11 support could be abused to achieve remote
|
||||||
|
code execution via a forwarded agent socket if the following
|
||||||
|
conditions are met:
|
||||||
|
|
||||||
|
* Exploitation requires the presence of specific libraries on
|
||||||
|
the victim system.
|
||||||
|
* Remote exploitation requires that the agent was forwarded
|
||||||
|
to an attacker-controlled system.
|
||||||
|
|
||||||
|
Exploitation can also be prevented by starting ssh-agent(1) with an
|
||||||
|
empty PKCS#11/FIDO allowlist (ssh-agent -P '') or by configuring
|
||||||
|
an allowlist that contains only specific provider libraries.
|
||||||
|
|
||||||
|
This vulnerability was discovered and demonstrated to be exploitable
|
||||||
|
by the Qualys Security Advisory team.
|
||||||
|
|
||||||
|
In addition to removing the main precondition for exploitation,
|
||||||
|
this release removes the ability for remote ssh-agent(1) clients
|
||||||
|
to load PKCS#11 modules by default (see below).
|
||||||
|
|
||||||
|
Potentially-incompatible changes
|
||||||
|
--------------------------------
|
||||||
|
|
||||||
|
* ssh-agent(8): the agent will now refuse requests to load PKCS#11
|
||||||
|
modules issued by remote clients by default. A flag has been added
|
||||||
|
to restore the previous behaviour "-Oallow-remote-pkcs11".
|
||||||
|
|
||||||
|
Note that ssh-agent(8) depends on the SSH client to identify
|
||||||
|
requests that are remote. The OpenSSH >=8.9 ssh(1) client does
|
||||||
|
this, but forwarding access to an agent socket using other tools
|
||||||
|
may circumvent this restriction.
|
||||||
|
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Thu May 11 07:01:54 UTC 2023 - Antonio Larrosa <alarrosa@suse.com>
|
Thu May 11 07:01:54 UTC 2023 - Antonio Larrosa <alarrosa@suse.com>
|
||||||
|
|
||||||
|
@ -37,7 +37,7 @@
|
|||||||
%define _fillupdir %{_localstatedir}/adm/fillup-templates
|
%define _fillupdir %{_localstatedir}/adm/fillup-templates
|
||||||
%endif
|
%endif
|
||||||
Name: openssh
|
Name: openssh
|
||||||
Version: 9.3p1
|
Version: 9.3p2
|
||||||
Release: 0
|
Release: 0
|
||||||
Summary: Secure Shell Client and Server (Remote Login Program)
|
Summary: Secure Shell Client and Server (Remote Login Program)
|
||||||
License: BSD-2-Clause AND MIT
|
License: BSD-2-Clause AND MIT
|
||||||
|
Loading…
Reference in New Issue
Block a user