Accepted openssh 1:9.2p1-2+deb12u2 (source) into proposed-updates
- To: debian-changes@lists.debian.org
- Subject: Accepted openssh 1:9.2p1-2+deb12u2 (source) into proposed-updates
- From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
- Date: Fri, 22 Dec 2023 21:17:41 +0000
- Debian: DAK
- Debian-architecture: source
- Debian-archive-action: accept
- Debian-changes: openssh_9.2p1-2+deb12u2_source.changes
- Debian-source: openssh
- Debian-suite: proposed-updates
- Debian-version: 1:9.2p1-2+deb12u2
- Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=ftp-master.debian.org; s=smtpauto.fasolo; h=Date:Message-Id: Content-Transfer-Encoding:Content-Type:Subject:MIME-Version:To:Reply-To:From: Cc:Content-ID:Content-Description:In-Reply-To:References; bh=b6ZF+QLUQ5i/Fhv+gbccRR8m7ZZ2IVu8XDWiZ8D/eMs=; b=D4vDOP9pRMwdViKXasu8t/jAYR 1CrHBq3yOcUNrhZ4x9P9oKRXxo5O2hnEcWNAmwo2CTRBT2u33es6REbSC8evqBY+3ZXm8DQZ1KVIO e62qgmr5TZpq2SwWNgf8ksZPjnPUgmPB8DmLJBVJQd9vlNWJ4OW4/E3HjpJ2UnVmWtYr6UvaLkM6T LPRbqQTF87ckJy2dEvFGAAxAueQgwxNpuix9O5IrHdz29Ou6sE+pIqVG4LAW6/anHtWEJlYltJ6Nf 3lAueOTG7MG8yBU28lLoqvZa9pJDMoLyfJJUFe2oNzJ4GIZaE39S78IqiypfqZ11dGympZsOX2x5v wvDq7jHg==;
- Mail-followup-to: debian-devel@lists.debian.org
- Message-id: <E1rGmtp-00GO5a-Au@fasolo.debian.org>
- Reply-to: debian-devel@lists.debian.org
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 19 Dec 2023 14:51:56 +0000
Source: openssh
Architecture: source
Version: 1:9.2p1-2+deb12u2
Distribution: bookworm-security
Urgency: medium
Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Closes: 1033166
Changes:
openssh (1:9.2p1-2+deb12u2) bookworm-security; urgency=medium
.
* Cherry-pick from upstream:
- [CVE-2023-28531] ssh-add(1): when adding smartcard keys to
ssh-agent(1) with the per-hop destination constraints (ssh-add -h ...)
added in OpenSSH 8.9, a logic error prevented the constraints from
being communicated to the agent. This resulted in the keys being added
without constraints. The common cases of non-smartcard keys and keys
without destination constraints are unaffected. This problem was
reported by Luci Stanescu (closes: #1033166).
- [CVE-2023-48795] ssh(1), sshd(8): implement protocol extensions to
thwart the so-called "Terrapin attack" discovered by Fabian Bäumer,
Marcus Brinkmann and Jörg Schwenk. This attack allows a MITM to effect
a limited break of the integrity of the early encrypted SSH transport
protocol by sending extra messages prior to the commencement of
encryption, and deleting an equal number of consecutive messages
immediately after encryption starts. A peer SSH client/server would
not be able to detect that messages were deleted.
- [CVE-2023-51384] ssh-agent(1): when adding PKCS#11-hosted private keys
while specifying destination constraints, if the PKCS#11 token
returned multiple keys then only the first key had the constraints
applied. Use of regular private keys, FIDO tokens and unconstrained
keys are unaffected.
- [CVE-2023-51385] ssh(1): if an invalid user or hostname that contained
shell metacharacters was passed to ssh(1), and a ProxyCommand,
LocalCommand directive or "match exec" predicate referenced the user
or hostname via %u, %h or similar expansion token, then an attacker
who could supply arbitrary user/hostnames to ssh(1) could potentially
perform command injection depending on what quoting was present in the
user-supplied ssh_config(5) directive. ssh(1) now bans most shell
metacharacters from user and hostnames supplied via the command-line.
Checksums-Sha1:
b8c40341353d53e043cb66eb4d78f0eb97dfddcf 3229 openssh_9.2p1-2+deb12u2.dsc
3b172b8e971773a7018bbf3231f6589ae539ca4b 1852380 openssh_9.2p1.orig.tar.gz
057ac5ac6e2fa0a26a105b085822a09f1a068683 833 openssh_9.2p1.orig.tar.gz.asc
16cba66caf76b5282ca9135670ac2fce2a4abd8a 191360 openssh_9.2p1-2+deb12u2.debian.tar.xz
29b80808914645115336d6b393efe57d2398b1f3 15881 openssh_9.2p1-2+deb12u2_source.buildinfo
Checksums-Sha256:
147649417f149b404c20bf64717e60339ef088f1ae00589f42cd3888a680a5be 3229 openssh_9.2p1-2+deb12u2.dsc
3f66dbf1655fb45f50e1c56da62ab01218c228807b21338d634ebcdf9d71cf46 1852380 openssh_9.2p1.orig.tar.gz
7acc8e9502040972aeecb785fa3b6bb00c069cc01fbd7c214f8f7867033a6dbb 833 openssh_9.2p1.orig.tar.gz.asc
c5317cfc95be66f325c88323d066320f0aa00a7970dddd9fc0916a1f17e114d4 191360 openssh_9.2p1-2+deb12u2.debian.tar.xz
160ac354a3c803e203a45fd850b059de6c05c3319cc6715cc6bb78e57705c57a 15881 openssh_9.2p1-2+deb12u2_source.buildinfo
Files:
f7a4e05b382ba909c0cb4b95ef80d554 3229 net standard openssh_9.2p1-2+deb12u2.dsc
f78b2acac4bb299629a8c58ddc3fac63 1852380 net standard openssh_9.2p1.orig.tar.gz
4b8baeab4dd1ff732a02e94c227cf788 833 net standard openssh_9.2p1.orig.tar.gz.asc
b06d3e7e9680058bf5444cadc4ce41c5 191360 net standard openssh_9.2p1-2+deb12u2.debian.tar.xz
73cb53b65064b4cdee862965e4767f4a 15881 net standard openssh_9.2p1-2+deb12u2_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEErApP8SYRtvzPAcEROTWH2X2GUAsFAmWBtuUACgkQOTWH2X2G
UAtXuQ/8CIbpG9D8Q9DMDz+eOSJgGS9FQ6e65em+RWej1gs5MGLYNeCunL8R7vM8
XWRjDvmkYYm6ProYJI0dotDfYjX7cYckMed2mmsZpfgo6L3uJ/Dyyo910AQmqq1U
DpSL/yCLPOktE87unXJ51fO2S4Lyfuf2CPnDvkD77rgU3DmuxXA/CYPGpadCKrVf
IL/s/vcwjvvVDDjEj67Jb8ZkWlYhkKhzRh7EmMXyzD88qib+NLqiF2SbQbMwYxmd
h1Y1j2DLKnhgYkDmDfihMyPJox8k1VAzGxdARETivaUo1Z/d/kV7Fo8XOG8KlOOP
c4az6g1XAcOR2sifEBBm5ZR3J2TzTCtEnAG9BBel6kF0yltyKdW76yNNx+UQTPSN
O5yKMQrAY/1UaJIXjaAlF/SlwmpsbD1nZ/KxG94Zjz5hKph7qODkpYX26xsmnyxJ
ksaizvih2TVU/r8sVzxiBsPUXRm6UQFqNCHk5VHwtMyXz57d+H9TbtTibu6FeIkA
FeGUVPVcQOsPuBmgDSYeKPN1CmUGOB65yrTwuEDqAcjZ/A07DhWfOhh7midSg5W7
HfQkjwIm1O9NoBKMjRmUfeSYIKtWnWMxDj8XmhdhoVXAZSgpN3ORSx20wnvAmYTb
oscwwSQptxbu72s2P8cUtHMrvIEp/iXhfIGIWoBbNvCU7DUIgoA=
=F+qp
-----END PGP SIGNATURE-----