From patchwork Thu Jul 20 16:04:39 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adolf Belka X-Patchwork-Id: 7004 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384 client-signature ECDSA (secp384r1) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4R6HZX57h5z3wb3 for ; Thu, 20 Jul 2023 16:04:52 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384 client-signature ECDSA (secp384r1) client-digest SHA384) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4R6HZT6bHKzT1; Thu, 20 Jul 2023 16:04:49 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4R6HZT64lBz30BD; Thu, 20 Jul 2023 16:04:49 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4R6HZS6ktWz2xgB for ; Thu, 20 Jul 2023 16:04:48 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4R6HZR3pVPzT1; Thu, 20 Jul 2023 16:04:47 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1689869088; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=msvTXpXf9dgw0NQTp/cFsqxBDyrQDAUq9quJlkSRSjY=; b=eH/EkG+DpR+6Ix/RJu28cw66mAqR9f22Dx50rBuA9bwD/s6/65jkLOqcHMoTxTWMFtmZdf 5dyGGvBu7m9lpQCw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1689869088; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=msvTXpXf9dgw0NQTp/cFsqxBDyrQDAUq9quJlkSRSjY=; b=GTcSrkfsPCCMYcQuF7IFPT6jpQKx7SmLT43fYTtEqzpc/l40BfiQKCGxh+1KoDeEL/I7WV jrtxNXzX/JbnEX2JcjbOPWsNmr7WNkE5l50BmPhfXFvYHDa2BIhSkVUeHdAvDDpgkle8GD IjtbZlwIsIt6Xi2cEh5S6JnatFEoDpw+h6HDSnvRwVcu3WKfEj7MWDXD3ZfhLrYAsLyiui /TIEfP5HwZdsdzwQpSd2ZJpP/h+Zt68k0MxkNqXRLSqcWXPUyeaPMwiZ37aKX96espk61h naGecW1gjSCiZFEZ7wFnbrQ93Oa6zzeWi0Jfw8lzb+3y9iK9JgLS97+WRw5GFQ== From: Adolf Belka To: development@lists.ipfire.org Subject: [PATCH] openssh: Update to version 9.3p2 - Fixes CVE-2023-38408 Date: Thu, 20 Jul 2023 18:04:39 +0200 Message-ID: <20230720160439.3433775-1-adolf.belka@ipfire.org> MIME-Version: 1.0 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" - Update from version 9.3p1 to 9.3p2 - Update of rootfile not required - Changelog 9.3p2 (2023-07-19) This release fixes a security bug. Security Fix CVE-2023-38408 - a condition where specific libaries loaded via ssh-agent(1)'s PKCS#11 support could be abused to achieve remote code execution via a forwarded agent socket if the following conditions are met: * Exploitation requires the presence of specific libraries on the victim system. * Remote exploitation requires that the agent was forwarded to an attacker-controlled system. Exploitation can also be prevented by starting ssh-agent(1) with an empty PKCS#11/FIDO allowlist (ssh-agent -P '') or by configuring an allowlist that contains only specific provider libraries. This vulnerability was discovered and demonstrated to be exploitable by the Qualys Security Advisory team. In addition to removing the main precondition for exploitation, this release removes the ability for remote ssh-agent(1) clients to load PKCS#11 modules by default (see below). Potentially-incompatible changes * ssh-agent(8): the agent will now refuse requests to load PKCS#11 modules issued by remote clients by default. A flag has been added to restore the previous behaviour "-Oallow-remote-pkcs11". Note that ssh-agent(8) depends on the SSH client to identify requests that are remote. The OpenSSH >=8.9 ssh(1) client does this, but forwarding access to an agent socket using other tools may circumvent this restriction. Signed-off-by: Adolf Belka --- lfs/openssh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lfs/openssh b/lfs/openssh index 5a18edd70..83c94ffdc 100644 --- a/lfs/openssh +++ b/lfs/openssh @@ -24,7 +24,7 @@ include Config -VER = 9.3p1 +VER = 9.3p2 THISAPP = openssh-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -40,7 +40,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_BLAKE2 = 45578edf98bba3d23c7cefe60d8a7d3079e7c6676459f7422ace7a2461ab96943fbcadb478633a80f40bc098f2435722850b563714adb78b14922be53cb5753d +$(DL_FILE)_BLAKE2 = 38f8d4ada263112b318fafccabf0a33a004d8290a867434004eb3d37127c9bdabe6e0225fca9d6d68fb54338fec81dcc9313ca7c91d3a033311db44174dc9f6f install : $(TARGET)