Marcus Meissner
67a17999e6
- Update to openssh 9.3p2 * No changes for askpass, see main package changelog for details - Update to openssh 9.3p2 (bsc#1213504, CVE-2023-38408): Security ======== Fix CVE-2023-38408 - a condition where specific libaries loaded via ssh-agent(1)'s PKCS#11 support could be abused to achieve remote code execution via a forwarded agent socket if the following conditions are met: * Exploitation requires the presence of specific libraries on the victim system. * Remote exploitation requires that the agent was forwarded to an attacker-controlled system. Exploitation can also be prevented by starting ssh-agent(1) with an empty PKCS#11/FIDO allowlist (ssh-agent -P '') or by configuring an allowlist that contains only specific provider libraries. This vulnerability was discovered and demonstrated to be exploitable by the Qualys Security Advisory team. In addition to removing the main precondition for exploitation, this release removes the ability for remote ssh-agent(1) clients to load PKCS#11 modules by default (see below). Potentially-incompatible changes -------------------------------- * ssh-agent(8): the agent will now refuse requests to load PKCS#11 modules issued by remote clients by default. A flag has been added to restore the previous behaviour "-Oallow-remote-pkcs11". Note that ssh-agent(8) depends on the SSH client to identify requests that are remote. The OpenSSH >=8.9 ssh(1) client does this, but forwarding access to an agent socket using other tools may circumvent this restriction. OBS-URL: https://build.opensuse.org/request/show/1099810 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=249 |
||
---|---|---|
_multibuild | ||
.gitattributes | ||
.gitignore | ||
cavs_driver-ssh.pl | ||
fix-missing-lz.patch | ||
openssh-7.7p1-cavstest-ctr.patch | ||
openssh-7.7p1-cavstest-kdf.patch | ||
openssh-7.7p1-disable_openssl_abi_check.patch | ||
openssh-7.7p1-eal3.patch | ||
openssh-7.7p1-enable_PAM_by_default.patch | ||
openssh-7.7p1-fips_checks.patch | ||
openssh-7.7p1-fips.patch | ||
openssh-7.7p1-host_ident.patch | ||
openssh-7.7p1-hostname_changes_when_forwarding_X.patch | ||
openssh-7.7p1-IPv6_X_forwarding.patch | ||
openssh-7.7p1-ldap.patch | ||
openssh-7.7p1-no_fork-no_pid_file.patch | ||
openssh-7.7p1-pam_check_locks.patch | ||
openssh-7.7p1-pts_names_formatting.patch | ||
openssh-7.7p1-remove_xauth_cookies_on_exit.patch | ||
openssh-7.7p1-seccomp_ipc_flock.patch | ||
openssh-7.7p1-seccomp_stat.patch | ||
openssh-7.7p1-send_locale.patch | ||
openssh-7.7p1-sftp_force_permissions.patch | ||
openssh-7.7p1-sftp_print_diagnostic_messages.patch | ||
openssh-7.7p1-systemd-notify.patch | ||
openssh-7.7p1-X11_trusted_forwarding.patch | ||
openssh-7.7p1-X_forward_with_disabled_ipv6.patch | ||
openssh-7.9p1-keygen-preserve-perms.patch | ||
openssh-7.9p1-revert-new-qos-defaults.patch | ||
openssh-8.0p1-gssapi-keyex.patch | ||
openssh-8.1p1-audit.patch | ||
openssh-8.1p1-ed25519-use-openssl-rng.patch | ||
openssh-8.1p1-seccomp-clock_gettime64.patch | ||
openssh-8.1p1-seccomp-clock_nanosleep_time64.patch | ||
openssh-8.1p1-seccomp-clock_nanosleep.patch | ||
openssh-8.1p1-use-openssl-kdf.patch | ||
openssh-8.4p1-pam_motd.patch | ||
openssh-8.4p1-ssh_config_d.patch | ||
openssh-8.4p1-vendordir.patch | ||
openssh-9.3p2.tar.gz | ||
openssh-9.3p2.tar.gz.asc | ||
openssh-askpass-gnome.changes | ||
openssh-askpass-gnome.spec | ||
openssh-do-not-send-empty-message.patch | ||
openssh-fips-ensure-approved-moduli.patch | ||
openssh-link-with-sk.patch | ||
openssh-openssl-3.patch | ||
openssh-reenable-dh-group14-sha1-default.patch | ||
openssh-whitelist-syscalls.patch | ||
openssh.changes | ||
openssh.keyring | ||
openssh.spec | ||
README.FIPS | ||
README.kerberos | ||
README.SUSE | ||
ssh-askpass | ||
ssh.reg | ||
sshd-gen-keys-start | ||
sshd-sle.pamd | ||
sshd.fw | ||
sshd.pamd | ||
sshd.service | ||
sysconfig.ssh | ||
sysusers-sshd.conf | ||
wtmpdb.patch |
There are following changes in default settings of ssh client and server: * Accepting and sending of locale environment variables in protocol 2 is enabled. * PAM authentication is enabled and mostly even required, do not turn it off. * DSA authentication is enabled by default for maximum compatibility. NOTE: do not use DSA authentication since it is being phased out for a reason - the size of DSA keys is limited by the standard to 1024 bits which cannot be considered safe any more. * Accepting all RFC4419 specified DH group parameters. See KexDHMin in ssh_config and sshd_config manual pages. For more information on differences in SUSE OpenSSH package see README.FIPS