Accepting request 1099856 from network

- Update to openssh 9.3p2
  * No changes for askpass, see main package changelog for
    details
- Update to openssh 9.3p2 (bsc#1213504, CVE-2023-38408):
  Security
  ========
  Fix CVE-2023-38408 - a condition where specific libaries loaded via
  ssh-agent(1)'s PKCS#11 support could be abused to achieve remote
  code execution via a forwarded agent socket if the following
  conditions are met:
  * Exploitation requires the presence of specific libraries on
    the victim system.
  * Remote exploitation requires that the agent was forwarded
    to an attacker-controlled system.
  Exploitation can also be prevented by starting ssh-agent(1) with an
  empty PKCS#11/FIDO allowlist (ssh-agent -P '') or by configuring
  an allowlist that contains only specific provider libraries.
  This vulnerability was discovered and demonstrated to be exploitable
  by the Qualys Security Advisory team. 
 
  In addition to removing the main precondition for exploitation,
  this release removes the ability for remote ssh-agent(1) clients
  to load PKCS#11 modules by default (see below).
  Potentially-incompatible changes
  --------------------------------
   * ssh-agent(8): the agent will now refuse requests to load PKCS#11
     modules issued by remote clients by default. A flag has been added
     to restore the previous behaviour "-Oallow-remote-pkcs11".
     Note that ssh-agent(8) depends on the SSH client to identify
     requests that are remote. The OpenSSH >=8.9 ssh(1) client does
     this, but forwarding access to an agent socket using other tools
     may circumvent this restriction. (forwarded request 1099810 from simotek)

OBS-URL: https://build.opensuse.org/request/show/1099856
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssh?expand=0&rev=165
This commit is contained in:
Ana Guerrero 2023-07-24 16:11:47 +00:00 committed by Git OBS Bridge
commit b77a1e6444
8 changed files with 69 additions and 21 deletions

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:e9baba7701a76a51f3d85a62c383a3c9dcd97fa900b859bc7db114c1868af8a8
size 1856839

View File

@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEcWi5g4FaXu9ZpK39Kj9BTnNgYLoFAmQSOZYACgkQKj9BTnNg
YLrKJg//fSKjNlnb3l75ZwLoWhwpEZQp7poEq5qCCRNvu4dleuU1sMxNPl9/Ow1i
iZVW67OGNjIsJ7FJmHNF3UOgkH50c6OHivmDaTywDtyCLZvUVmaSfOe0own8s8KB
OV7czHqd9giHQlGWWTxg9eVAfOaqpzXugkzo7UoTVqEqJ3Ru/FQ4RGSIjTGzuM/0
EC+JkKyO+0pP3mr4XfZdxsbYc9WVEG9ZIlT153y9I5MfiWM1SC/0gg4NLz025Xaa
ment5c+BdhIwYjC2f5F/9s0J6+lFHiFBHLQVGx4qq/Tx3XGfP0xBcS1V9Mkhyjzf
ZXj6acQ+T50H8p3OWZyrWn11YNtGjzkwuQWrj8Ue4NPFGqgPbANeH32yOiIWpIh0
CtpGnRGQP1zF14hEAR5gKangTNCp/IVMBhIs4UL3zI6uS2yRLTGOWcgrnjJv26vg
jb2WmL0AeqYLZw41pbq+zmVizhhg8qk7KPQQsFxnalSFHz35tnHN8oQD5TCDxqtu
f/roTbZhW/nnlaMlEAnB09LO6e1nyDIcJ6hj0CK9cSgIn8pb1q9GdjYx5PNKwsoa
NuD+bqlzF5krjiOHJh+vDw0GKFusflL46Dmry5a4K0vLUGBn6uAUPtuwMdBsLofU
k3a4zBMlOCm6o3WqgAug4fSwCfYkJ9Dc+FaedGC1X4fys4lV/6k=
=deVJ
-----END PGP SIGNATURE-----

BIN
openssh-9.3p2.tar.gz (Stored with Git LFS) Normal file

Binary file not shown.

16
openssh-9.3p2.tar.gz.asc Normal file
View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEcWi5g4FaXu9ZpK39Kj9BTnNgYLoFAmS3g5wACgkQKj9BTnNg
YLrMYw//evjl0mlSnycb85tWASdBWQh28xQCouuqYhDhY+8kt6YpEx34r4zuXvL3
pEN/F1ancNXwvlRPct/tF3OEQVpKHZqiRyfWuHHURSBLaGf9V1b+gQgfM4lEQNtH
8PqRj+ur8E2GMGxvxuDKPcfduCTFrjbPJ/0OCgquuEteSM6dgcClT7q5SKKpTVSa
jV0PaXeYgnaa+u+4GsH01oUteyJNmhvEa4T+fC1RDrct1DiieUQNkaw3pwMqYXA5
8PldGatn/npNM5ZFW4uxTjbib2yJXNIEhUIzo2A00XWRG3jIArtRJwJ6ZSBahUE4
PyasPMhJVIxIaKy5OL4s4FAd1goe2hBlPzmDhUJOhpFniLIZ9dS5AGaX4i2TjsZl
iaIwtE2VLIn3peKZPvm7SCBqyBoiPKC0BfHmVOYs8c1W5Q30jE+kCcTDrJhHl32/
kN5khCHIg6bUc3JzFZM7Ib0tshNP5AY0pyduSEF7SPOB5Zz2E+EwkDmkrnw9FoMh
LCvSERDkBdxWD7okUdb0ARr564lShRjd2UTFZqv3Py4nVfvnP19RgCfakNg0CZ3w
VoLytn8OQ/joAx4GMWox6g5ieYqeQ2kLzXYfXObTlDIjxirFeiBYPh6Ln5oGl81/
jx/172HqCzRDgUogtZ/BTwiLDEzTHG7YS5RDIUYkqEGkkjjj6gg=
=yVD2
-----END PGP SIGNATURE-----

View File

@ -1,3 +1,10 @@
-------------------------------------------------------------------
Fri Jul 21 05:13:56 UTC 2023 - Simon Lees <sflees@suse.de>
- Update to openssh 9.3p2
* No changes for askpass, see main package changelog for
details
------------------------------------------------------------------- -------------------------------------------------------------------
Sun May 28 09:16:44 UTC 2023 - Andreas Stieger <andreas.stieger@gmx.de> Sun May 28 09:16:44 UTC 2023 - Andreas Stieger <andreas.stieger@gmx.de>

View File

@ -18,7 +18,7 @@
%define _name openssh %define _name openssh
Name: openssh-askpass-gnome Name: openssh-askpass-gnome
Version: 9.3p1 Version: 9.3p2
Release: 0 Release: 0
Summary: A GNOME-Based Passphrase Dialog for OpenSSH Summary: A GNOME-Based Passphrase Dialog for OpenSSH
License: BSD-2-Clause License: BSD-2-Clause

View File

@ -1,3 +1,44 @@
-------------------------------------------------------------------
Fri Jul 21 02:48:58 UTC 2023 - Simon Lees <sflees@suse.de>
- Update to openssh 9.3p2 (bsc#1213504, CVE-2023-38408):
Security
========
Fix CVE-2023-38408 - a condition where specific libaries loaded via
ssh-agent(1)'s PKCS#11 support could be abused to achieve remote
code execution via a forwarded agent socket if the following
conditions are met:
* Exploitation requires the presence of specific libraries on
the victim system.
* Remote exploitation requires that the agent was forwarded
to an attacker-controlled system.
Exploitation can also be prevented by starting ssh-agent(1) with an
empty PKCS#11/FIDO allowlist (ssh-agent -P '') or by configuring
an allowlist that contains only specific provider libraries.
This vulnerability was discovered and demonstrated to be exploitable
by the Qualys Security Advisory team.
In addition to removing the main precondition for exploitation,
this release removes the ability for remote ssh-agent(1) clients
to load PKCS#11 modules by default (see below).
Potentially-incompatible changes
--------------------------------
* ssh-agent(8): the agent will now refuse requests to load PKCS#11
modules issued by remote clients by default. A flag has been added
to restore the previous behaviour "-Oallow-remote-pkcs11".
Note that ssh-agent(8) depends on the SSH client to identify
requests that are remote. The OpenSSH >=8.9 ssh(1) client does
this, but forwarding access to an agent socket using other tools
may circumvent this restriction.
------------------------------------------------------------------- -------------------------------------------------------------------
Thu May 11 07:01:54 UTC 2023 - Antonio Larrosa <alarrosa@suse.com> Thu May 11 07:01:54 UTC 2023 - Antonio Larrosa <alarrosa@suse.com>

View File

@ -37,7 +37,7 @@
%define _fillupdir %{_localstatedir}/adm/fillup-templates %define _fillupdir %{_localstatedir}/adm/fillup-templates
%endif %endif
Name: openssh Name: openssh
Version: 9.3p1 Version: 9.3p2
Release: 0 Release: 0
Summary: Secure Shell Client and Server (Remote Login Program) Summary: Secure Shell Client and Server (Remote Login Program)
License: BSD-2-Clause AND MIT License: BSD-2-Clause AND MIT