[SECURITY] [DLA 3694-1] openssh security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 3694-1] openssh security update
From: Santiago Ruano Rincón <santiago@freexian.com>
Date: Mon, 25 Dec 2023 21:22:30 -0500
Message-id: <[🔎] ZYo45sDlsUyGT_cf@novelo>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-------------------------------------------------------------------------
Debian LTS Advisory DLA-3694-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/               Santiago Ruano Rincón
December 25, 2023                             https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package        : openssh
Version        : 1:7.9p1-10+deb10u4
CVE ID         : CVE-2021-41617 CVE-2023-48795 CVE-2023-51385
Debian Bug     : 995130

Several vulnerabilities have been discovered in OpenSSH, an implementation of
the SSH protocol suite.

CVE-2021-41617

    It was discovered that sshd failed to correctly initialise supplemental
    groups when executing an AuthorizedKeysCommand or
    AuthorizedPrincipalsCommand, where a AuthorizedKeysCommandUser or
    AuthorizedPrincipalsCommandUser directive has been set to run the command
    as a different user. Instead these commands would inherit the groups that
    sshd was started with.

CVE-2023-48795

    Fabian Baeumer, Marcus Brinkmann and Joerg Schwenk discovered that the SSH
    protocol is prone to a prefix truncation attack, known as the "Terrapin
    attack". This attack allows a MITM attacker to effect a limited break of the
    integrity of the early encrypted SSH transport protocol by sending extra
    messages prior to the commencement of encryption, and deleting an equal
    number of consecutive messages immediately after encryption starts.

    Details can be found at https://terrapin-attack.com/

CVE-2023-51385

    It was discovered that if an invalid user or hostname that contained shell
    metacharacters was passed to ssh, and a ProxyCommand, LocalCommand
    directive or "match exec" predicate referenced the user or hostname via
    expansion tokens, then an attacker who could supply arbitrary
    user/hostnames to ssh could potentially perform command injection. The
    situation could arise in case of git repositories with submodules, where the
    repository could contain a submodule with shell characters in its user or
    hostname.

For Debian 10 buster, these problems have been fixed in version
1:7.9p1-10+deb10u4.

We recommend that you upgrade your openssh packages.

For the detailed security status of openssh please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/openssh

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

Attachment: signature.asc
Description: PGP signature

Reply to:

Prev by Date: [SECURITY] [DLA 3693-1] osslsigncode security update
Next by Date: [SECURITY] [DLA 3695-1] ansible security update
Previous by thread: [SECURITY] [DLA 3693-1] osslsigncode security update
Next by thread: [SECURITY] [DLA 3695-1] ansible security update
Index(es):
- Date
- Thread