Accepted openssh 1:8.4p1-5+deb11u3 (source) into oldstable-proposed-updates
- To: debian-changes@lists.debian.org
- Subject: Accepted openssh 1:8.4p1-5+deb11u3 (source) into oldstable-proposed-updates
- From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
- Date: Fri, 22 Dec 2023 21:18:37 +0000
- Debian: DAK
- Debian-architecture: source
- Debian-archive-action: accept
- Debian-changes: openssh_8.4p1-5+deb11u3_source.changes
- Debian-source: openssh
- Debian-suite: oldstable-proposed-updates
- Debian-version: 1:8.4p1-5+deb11u3
- Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=ftp-master.debian.org; s=smtpauto.fasolo; h=Date:Message-Id: Content-Transfer-Encoding:Content-Type:Subject:MIME-Version:To:Reply-To:From: Cc:Content-ID:Content-Description:In-Reply-To:References; bh=xHZ9b7opSCU+8PicLjxLf1N2rxpKy4zWlbczCjEKVsY=; b=KJi+qx1SevOfBOLNBHTioPMJw0 I2tijlmum3puB788LsAcHwaF6s2MPFeKVboKUlrCioflQ9O/ZMKksGbTPswCPCjU5nKqj/BGzhBsb 6t1IimJ6ylcxsYbGDCn5Y4e3vhKD/al9/XI+KdD2nRG/nGff31Cj2URyv5ZzbgnglwDoD1ahVpb9I qrn65H7cOR65ot1p4UZGVji7KNOFpF+c1Jj7MPe0WvEUbvCfaikuXOlsAdeWqAbMZfNV53xbxN3e0 9+CjmDrlkYFUMUGwD0ndNN/4Q43Mlm8ue6dQFHxK15QOW5p0ncKse8eAzWewOFyPrE5gfyhR0agjX 0AUw2brw==;
- Mail-followup-to: debian-devel@lists.debian.org
- Message-id: <E1rGmuj-00GOHs-EM@fasolo.debian.org>
- Reply-to: debian-devel@lists.debian.org
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 21 Dec 2023 16:09:44 +0000
Source: openssh
Architecture: source
Version: 1:8.4p1-5+deb11u3
Distribution: bullseye-security
Urgency: medium
Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Closes: 995130
Changes:
openssh (1:8.4p1-5+deb11u3) bullseye-security; urgency=medium
.
* Cherry-pick from upstream:
- [CVE-2021-41617]: sshd(8) from OpenSSH 6.2 through 8.7 failed to
correctly initialise supplemental groups when executing an
AuthorizedKeysCommand or AuthorizedPrincipalsCommand, where a
AuthorizedKeysCommandUser or AuthorizedPrincipalsCommandUser directive
has been set to run the command as a different user. Instead these
commands would inherit the groups that sshd(8) was started with
(closes: #995130).
- [CVE-2023-48795] ssh(1), sshd(8): implement protocol extensions to
thwart the so-called "Terrapin attack" discovered by Fabian Bäumer,
Marcus Brinkmann and Jörg Schwenk. This attack allows a MITM to effect
a limited break of the integrity of the early encrypted SSH transport
protocol by sending extra messages prior to the commencement of
encryption, and deleting an equal number of consecutive messages
immediately after encryption starts. A peer SSH client/server would
not be able to detect that messages were deleted.
- [CVE-2023-51385] ssh(1): if an invalid user or hostname that contained
shell metacharacters was passed to ssh(1), and a ProxyCommand,
LocalCommand directive or "match exec" predicate referenced the user
or hostname via %u, %h or similar expansion token, then an attacker
who could supply arbitrary user/hostnames to ssh(1) could potentially
perform command injection depending on what quoting was present in the
user-supplied ssh_config(5) directive. ssh(1) now bans most shell
metacharacters from user and hostnames supplied via the command-line.
Checksums-Sha1:
3bbca3973f5db9442eb8ed2cdb141fcfc122d699 3270 openssh_8.4p1-5+deb11u3.dsc
69305059e10a60693ebe6f17731f962c9577535c 1742201 openssh_8.4p1.orig.tar.gz
323573568682eac265e1f69206bc98149a8e423e 683 openssh_8.4p1.orig.tar.gz.asc
d38cba955daa0185b9f6a0cb7152591de23f2ff6 186600 openssh_8.4p1-5+deb11u3.debian.tar.xz
6164e0a2a6bdac3e2bbc933849368e15e5a3bbf1 15881 openssh_8.4p1-5+deb11u3_source.buildinfo
Checksums-Sha256:
0f800a412ac707c735afd90b5529511c5c1629b6aef342d824b2f66250565459 3270 openssh_8.4p1-5+deb11u3.dsc
5a01d22e407eb1c05ba8a8f7c654d388a13e9f226e4ed33bd38748dafa1d2b24 1742201 openssh_8.4p1.orig.tar.gz
ccd9dd484651ce4cc926228f6e1b46afaf0c5ab98a866217fa0ef1074370ea2b 683 openssh_8.4p1.orig.tar.gz.asc
f460cc974def7a03753f6d3e5248265aa01deca7e2ba5e29979677487e89cd41 186600 openssh_8.4p1-5+deb11u3.debian.tar.xz
340061cca4f8858e478279f729087363ac7a27df17584bfa0c626a4b29cd0737 15881 openssh_8.4p1-5+deb11u3_source.buildinfo
Files:
875ac216007bb6027a814840d10c5b9c 3270 net standard openssh_8.4p1-5+deb11u3.dsc
8f897870404c088e4aa7d1c1c58b526b 1742201 net standard openssh_8.4p1.orig.tar.gz
715c219a524631139bafa8a351cf44e7 683 net standard openssh_8.4p1.orig.tar.gz.asc
90e3da465d87838658dd0182fef0ac37 186600 net standard openssh_8.4p1-5+deb11u3.debian.tar.xz
c708cb4dbf3750cd26e9947a6ac46bbf 15881 net standard openssh_8.4p1-5+deb11u3_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEErApP8SYRtvzPAcEROTWH2X2GUAsFAmWEY3cACgkQOTWH2X2G
UAs8oxAAnXSa+RaCXtrv0EQ2EzahvsS77KE6gfOixdMvesNcdvaxmBkBWychIdmI
bHZCgcvpNiaNFoWlruiEQ3rfk5ePMuuAggWwbmQbZFLKpWoR4gnWQiw1AoVX5hvT
YVB/U/zwxBP9n/4/MlY6iUtXqprZwdfpOwIPM//8RVCIV7zDwRhVg30nE3JN1AXz
sUvMmKN8husaN6FxPq65W8owrOYniMPlqkaoVFQfufMzuErv6Nrulu0UQVIJaABo
CgbDSqHZc1XW6EuGZvHHzWcTTFee8osSJk/EDGGFxIxxl/jqqMyZvTgSZkxh9qbR
s8KiTLnA8DxD+B/6+mB3BC+ilZY0dsBW8tTLHR2uwBuFQxorGsaKlp+mJroPkXay
3CtRiyGVztYmYrGk8D90HC/+SXqcYZullGkfukQe0YtEU8Iidor7ysIuUH0jjXQV
cXaNbIqvPAq2jHmSYLuH9cDvGKUKFVhq/3Y8TLVr0VjHCvQNqJiAlXkDqSuVNyHN
CSQo8t8KZiuQySQqCm2vRud6sPVPTw6xWUB7lAaMc6Hyb/ydnysngTQE4wbxvZO6
WJHFZMncbej8+KbEKRZn58XxPqHaBAYPVjf54KZYX2kDHC6eTuIZih9QnvJfL6pC
EzXwYVAEoUodkJ6sSNTgUNWbDNZZR1zwJ+/oInqGJmERj2f3zDA=
=ywNQ
-----END PGP SIGNATURE-----