Back to openssh PTS page

Accepted openssh 1:8.4p1-5+deb11u3 (source) into oldstable-proposed-updates



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 21 Dec 2023 16:09:44 +0000
Source: openssh
Architecture: source
Version: 1:8.4p1-5+deb11u3
Distribution: bullseye-security
Urgency: medium
Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Closes: 995130
Changes:
 openssh (1:8.4p1-5+deb11u3) bullseye-security; urgency=medium
 .
   * Cherry-pick from upstream:
     - [CVE-2021-41617]: sshd(8) from OpenSSH 6.2 through 8.7 failed to
       correctly initialise supplemental groups when executing an
       AuthorizedKeysCommand or AuthorizedPrincipalsCommand, where a
       AuthorizedKeysCommandUser or AuthorizedPrincipalsCommandUser directive
       has been set to run the command as a different user. Instead these
       commands would inherit the groups that sshd(8) was started with
       (closes: #995130).
     - [CVE-2023-48795] ssh(1), sshd(8): implement protocol extensions to
       thwart the so-called "Terrapin attack" discovered by Fabian Bäumer,
       Marcus Brinkmann and Jörg Schwenk. This attack allows a MITM to effect
       a limited break of the integrity of the early encrypted SSH transport
       protocol by sending extra messages prior to the commencement of
       encryption, and deleting an equal number of consecutive messages
       immediately after encryption starts. A peer SSH client/server would
       not be able to detect that messages were deleted.
     - [CVE-2023-51385] ssh(1): if an invalid user or hostname that contained
       shell metacharacters was passed to ssh(1), and a ProxyCommand,
       LocalCommand directive or "match exec" predicate referenced the user
       or hostname via %u, %h or similar expansion token, then an attacker
       who could supply arbitrary user/hostnames to ssh(1) could potentially
       perform command injection depending on what quoting was present in the
       user-supplied ssh_config(5) directive. ssh(1) now bans most shell
       metacharacters from user and hostnames supplied via the command-line.
Checksums-Sha1:
 3bbca3973f5db9442eb8ed2cdb141fcfc122d699 3270 openssh_8.4p1-5+deb11u3.dsc
 69305059e10a60693ebe6f17731f962c9577535c 1742201 openssh_8.4p1.orig.tar.gz
 323573568682eac265e1f69206bc98149a8e423e 683 openssh_8.4p1.orig.tar.gz.asc
 d38cba955daa0185b9f6a0cb7152591de23f2ff6 186600 openssh_8.4p1-5+deb11u3.debian.tar.xz
 6164e0a2a6bdac3e2bbc933849368e15e5a3bbf1 15881 openssh_8.4p1-5+deb11u3_source.buildinfo
Checksums-Sha256:
 0f800a412ac707c735afd90b5529511c5c1629b6aef342d824b2f66250565459 3270 openssh_8.4p1-5+deb11u3.dsc
 5a01d22e407eb1c05ba8a8f7c654d388a13e9f226e4ed33bd38748dafa1d2b24 1742201 openssh_8.4p1.orig.tar.gz
 ccd9dd484651ce4cc926228f6e1b46afaf0c5ab98a866217fa0ef1074370ea2b 683 openssh_8.4p1.orig.tar.gz.asc
 f460cc974def7a03753f6d3e5248265aa01deca7e2ba5e29979677487e89cd41 186600 openssh_8.4p1-5+deb11u3.debian.tar.xz
 340061cca4f8858e478279f729087363ac7a27df17584bfa0c626a4b29cd0737 15881 openssh_8.4p1-5+deb11u3_source.buildinfo
Files:
 875ac216007bb6027a814840d10c5b9c 3270 net standard openssh_8.4p1-5+deb11u3.dsc
 8f897870404c088e4aa7d1c1c58b526b 1742201 net standard openssh_8.4p1.orig.tar.gz
 715c219a524631139bafa8a351cf44e7 683 net standard openssh_8.4p1.orig.tar.gz.asc
 90e3da465d87838658dd0182fef0ac37 186600 net standard openssh_8.4p1-5+deb11u3.debian.tar.xz
 c708cb4dbf3750cd26e9947a6ac46bbf 15881 net standard openssh_8.4p1-5+deb11u3_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEErApP8SYRtvzPAcEROTWH2X2GUAsFAmWEY3cACgkQOTWH2X2G
UAs8oxAAnXSa+RaCXtrv0EQ2EzahvsS77KE6gfOixdMvesNcdvaxmBkBWychIdmI
bHZCgcvpNiaNFoWlruiEQ3rfk5ePMuuAggWwbmQbZFLKpWoR4gnWQiw1AoVX5hvT
YVB/U/zwxBP9n/4/MlY6iUtXqprZwdfpOwIPM//8RVCIV7zDwRhVg30nE3JN1AXz
sUvMmKN8husaN6FxPq65W8owrOYniMPlqkaoVFQfufMzuErv6Nrulu0UQVIJaABo
CgbDSqHZc1XW6EuGZvHHzWcTTFee8osSJk/EDGGFxIxxl/jqqMyZvTgSZkxh9qbR
s8KiTLnA8DxD+B/6+mB3BC+ilZY0dsBW8tTLHR2uwBuFQxorGsaKlp+mJroPkXay
3CtRiyGVztYmYrGk8D90HC/+SXqcYZullGkfukQe0YtEU8Iidor7ysIuUH0jjXQV
cXaNbIqvPAq2jHmSYLuH9cDvGKUKFVhq/3Y8TLVr0VjHCvQNqJiAlXkDqSuVNyHN
CSQo8t8KZiuQySQqCm2vRud6sPVPTw6xWUB7lAaMc6Hyb/ydnysngTQE4wbxvZO6
WJHFZMncbej8+KbEKRZn58XxPqHaBAYPVjf54KZYX2kDHC6eTuIZih9QnvJfL6pC
EzXwYVAEoUodkJ6sSNTgUNWbDNZZR1zwJ+/oInqGJmERj2f3zDA=
=ywNQ
-----END PGP SIGNATURE-----