[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1042460: marked as done (openssh-client: ssh-agent CVE-2023-38408)

Your message dated Sun, 24 Sep 2023 19:47:34 +0000
with message-id <E1qkV4o-000QUP-53@fasolo.debian.org>
and subject line Bug#1042460: fixed in openssh 1:8.4p1-5+deb11u2
has caused the Debian Bug report #1042460,
regarding openssh-client: ssh-agent CVE-2023-38408
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1042460: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1042460
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: openssh-client
Version: 1:8.4p1-5+deb11u1
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: mnalis-debianbug@voyager.hr, Debian Security Team <team@security.debian.org>


"The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an
insufficiently trustworthy search path, leading to remote code execution if
an agent is forwarded to an attacker-controlled system."

While it does not affect all users of ssh-agent, it does affect many of them
and commonly suggested workaround (using jumphosts instead of agent forwarding)
is not applicable to many use cases (git push over ssh, using
libpam-ssh-agent-auth, etc.)

https://security-tracker.debian.org/tracker/CVE-2023-38408 indicates that
the new fixed version 1:9.3p2-1 has been uploaded in sid and trixie, however
bookworm (stable) and bullseye (oldstable) still have no security fix since 
CVE release on 2023-07-20.

(workaround by pinning fixed version from trixie is not possible, due to
significant libraries clash; and there are no Debian backports either)

-- System Information:
Debian Release: 11.7
  APT prefers oldstable-updates
  APT policy: (500, 'oldstable-updates'), (500, 'oldstable-security'), (500, 'oldstable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-23-amd64 (SMP w/1 CPU thread)
Locale: LANG=C, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

Versions of packages openssh-client depends on:
ii  adduser           3.118
ii  dpkg              1.20.12
ii  libc6             2.31-13+deb11u6
ii  libedit2          3.1-20210910-1
ii  libfido2-1        1.6.0-2
ii  libgssapi-krb5-2  1.18.3-6+deb11u3
ii  libselinux1       3.1-3
ii  libssl1.1         1.1.1n-0+deb11u5
ii  passwd            1:4.8.1-1
ii  zlib1g            1:1.2.11.dfsg-2+deb11u2

Versions of packages openssh-client recommends:
pn  xauth  <none>

Versions of packages openssh-client suggests:
pn  keychain      <none>
pn  libpam-ssh    <none>
pn  monkeysphere  <none>
pn  ssh-askpass   <none>

-- no debconf information

--- End Message ---
--- Begin Message --- 
Source: openssh
Source-Version: 1:8.4p1-5+deb11u2
Done: Colin Watson <cjwatson@debian.org>

We believe that the bug you reported is fixed in the latest version of
openssh, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1042460@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Colin Watson <cjwatson@debian.org> (supplier of updated openssh package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 23 Sep 2023 23:13:51 +0100
Source: openssh
Architecture: source
Version: 1:8.4p1-5+deb11u2
Distribution: bullseye
Urgency: medium
Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Closes: 1042460
Changes:
 openssh (1:8.4p1-5+deb11u2) bullseye; urgency=medium
 .
   * Cherry-pick from OpenSSH 9.3p2:
     - [CVE-2023-38408] Fix a condition where specific libraries loaded via
       ssh-agent(1)'s PKCS#11 support could be abused to achieve remote code
       execution via a forwarded agent socket (closes: #1042460).
Checksums-Sha1:
 5c8715af36211ea95770b993a652644a70fc0801 3393 openssh_8.4p1-5+deb11u2.dsc
 6ae5d2e17c2036ac074fe7b1041e4417f75c1047 181152 openssh_8.4p1-5+deb11u2.debian.tar.xz
Checksums-Sha256:
 85766be35d9e1d460e8117164a7a7d5f7347de5130718a7065098c8e6fc4e7bd 3393 openssh_8.4p1-5+deb11u2.dsc
 72ab9d1e3186a3efbdbb792c9ae08daa4e965a219579482a23d743cfef0180cd 181152 openssh_8.4p1-5+deb11u2.debian.tar.xz
Files:
 65a6dabac79749aabb9c79450cd1e07e 3393 net standard openssh_8.4p1-5+deb11u2.dsc
 7e2b10adce672e516ecc61f4dfa4ce4f 181152 net standard openssh_8.4p1-5+deb11u2.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEErApP8SYRtvzPAcEROTWH2X2GUAsFAmUPYz4ACgkQOTWH2X2G
UAuTeA//eFuMrBgW8963sFFyvyrlSWXvvm1RYd3iAqExGAne4JLCd8ZhIuiW9ETg
gf3AUG2DDdcoLQjv9fgBEaRLHb35maFLJ+KAvp219MemhHoex8WiiQhA7riPolOI
fPjuoJFm/0db3vU3CI0nlDYv6+gcS7YueoUFBH4OaCO518ShScxc6i4wwTsRlJdG
cyp62DRJ7c7B1rLXqQxsb8NR9QpytUzg3Og2W04wGYPHN2wWnxw5dgmKoePAMM60
6RlG30w0SyjSReUneVy3r80UTMsAu5nx2Z91gFAcfBu9JFEoXGeZMwi2xQyts6Gm
xfwJuvmFvFucwWFbSIFs5thzO79OPxzWZUsHUN6bfsEGTdYmsNn9dVz/NapTvERA
AkCMKvfOcCko7w0Ktw4oakwQtoy/3f8xp9bZx/tqO4gUR1aTyahz73Hwnf4jeSrU
N27dK9nzjNuOFialBTLRFYgIWX8HTN2Bn7sZD+sIrYPq5fbSwz9hjmTOdHrdAAS6
keAWGDsXWV+/oPT79cAO82m87pXnwWKbGMlYT9+7vFzi4q0cU4HNPoUA1Etpa+MG
65X/VMMZ2/Bo6kdjwekab6UIvdr7VOZrFhLac7ixa6rCxMMvV0Zhyax4ya3ghQkk
2RnsZ/AKB2f9sHZjqPkeoYKrcS2D2clgyv34L8miKUad39s9KfQ=
=tReq
-----END PGP SIGNATURE-----

--- End Message ---
Reply to: