Bug#995130: marked as done (openssh: CVE-2021-41617)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Fri, 22 Dec 2023 21:18:37 +0000
with message-id <E1rGmuj-00GOHv-FM@fasolo.debian.org>
and subject line Bug#995130: fixed in openssh 1:8.4p1-5+deb11u3
has caused the Debian Bug report #995130,
regarding openssh: CVE-2021-41617
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
995130: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=995130
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: openssh: CVE-2021-41617
• From: Salvatore Bonaccorso <carnil@debian.org>
• Date: Sun, 26 Sep 2021 21:21:20 +0200
• Message-id: <163268408030.853106.6869260918969335019.reportbug@eldamar.lan>

Source: openssh
Version: 1:8.4p1-6
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Control: found -1 1:8.4p1-5
Control: found -1 1:7.9p1-10+deb10u2
Control: found -1 1:7.9p1-10

Hi,

The following vulnerability was published for openssh.

CVE-2021-41617[0]:
| sshd in OpenSSH 6.2 through 8.x before 8.8, when certain non-default
| configurations are used, allows privilege escalation because
| supplemental groups are not initialized as expected. Helper programs
| for AuthorizedKeysCommand and AuthorizedPrincipalsCommand may run with
| privileges associated with group memberships of the sshd process, if
| the configuration specifies running the command as a different user.

IMHO it might be enough to address this via an upcoming point release
for both bullseye and buster.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2021-41617
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41617
[1] https://www.openwall.com/lists/oss-security/2021/09/26/1

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

• To: 995130-close@bugs.debian.org
• Subject: Bug#995130: fixed in openssh 1:8.4p1-5+deb11u3
• From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
• Date: Fri, 22 Dec 2023 21:18:37 +0000
• Message-id: <E1rGmuj-00GOHv-FM@fasolo.debian.org>
• Reply-to: Colin Watson <cjwatson@debian.org>

Source: openssh
Source-Version: 1:8.4p1-5+deb11u3
Done: Colin Watson <cjwatson@debian.org>

We believe that the bug you reported is fixed in the latest version of
openssh, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 995130@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Colin Watson <cjwatson@debian.org> (supplier of updated openssh package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 21 Dec 2023 16:09:44 +0000
Source: openssh
Architecture: source
Version: 1:8.4p1-5+deb11u3
Distribution: bullseye-security
Urgency: medium
Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Closes: 995130
Changes:
 openssh (1:8.4p1-5+deb11u3) bullseye-security; urgency=medium
 .
   * Cherry-pick from upstream:
     - [CVE-2021-41617]: sshd(8) from OpenSSH 6.2 through 8.7 failed to
       correctly initialise supplemental groups when executing an
       AuthorizedKeysCommand or AuthorizedPrincipalsCommand, where a
       AuthorizedKeysCommandUser or AuthorizedPrincipalsCommandUser directive
       has been set to run the command as a different user. Instead these
       commands would inherit the groups that sshd(8) was started with
       (closes: #995130).
     - [CVE-2023-48795] ssh(1), sshd(8): implement protocol extensions to
       thwart the so-called "Terrapin attack" discovered by Fabian Bäumer,
       Marcus Brinkmann and Jörg Schwenk. This attack allows a MITM to effect
       a limited break of the integrity of the early encrypted SSH transport
       protocol by sending extra messages prior to the commencement of
       encryption, and deleting an equal number of consecutive messages
       immediately after encryption starts. A peer SSH client/server would
       not be able to detect that messages were deleted.
     - [CVE-2023-51385] ssh(1): if an invalid user or hostname that contained
       shell metacharacters was passed to ssh(1), and a ProxyCommand,
       LocalCommand directive or "match exec" predicate referenced the user
       or hostname via %u, %h or similar expansion token, then an attacker
       who could supply arbitrary user/hostnames to ssh(1) could potentially
       perform command injection depending on what quoting was present in the
       user-supplied ssh_config(5) directive. ssh(1) now bans most shell
       metacharacters from user and hostnames supplied via the command-line.
Checksums-Sha1:
 3bbca3973f5db9442eb8ed2cdb141fcfc122d699 3270 openssh_8.4p1-5+deb11u3.dsc
 69305059e10a60693ebe6f17731f962c9577535c 1742201 openssh_8.4p1.orig.tar.gz
 323573568682eac265e1f69206bc98149a8e423e 683 openssh_8.4p1.orig.tar.gz.asc
 d38cba955daa0185b9f6a0cb7152591de23f2ff6 186600 openssh_8.4p1-5+deb11u3.debian.tar.xz
 6164e0a2a6bdac3e2bbc933849368e15e5a3bbf1 15881 openssh_8.4p1-5+deb11u3_source.buildinfo
Checksums-Sha256:
 0f800a412ac707c735afd90b5529511c5c1629b6aef342d824b2f66250565459 3270 openssh_8.4p1-5+deb11u3.dsc
 5a01d22e407eb1c05ba8a8f7c654d388a13e9f226e4ed33bd38748dafa1d2b24 1742201 openssh_8.4p1.orig.tar.gz
 ccd9dd484651ce4cc926228f6e1b46afaf0c5ab98a866217fa0ef1074370ea2b 683 openssh_8.4p1.orig.tar.gz.asc
 f460cc974def7a03753f6d3e5248265aa01deca7e2ba5e29979677487e89cd41 186600 openssh_8.4p1-5+deb11u3.debian.tar.xz
 340061cca4f8858e478279f729087363ac7a27df17584bfa0c626a4b29cd0737 15881 openssh_8.4p1-5+deb11u3_source.buildinfo
Files:
 875ac216007bb6027a814840d10c5b9c 3270 net standard openssh_8.4p1-5+deb11u3.dsc
 8f897870404c088e4aa7d1c1c58b526b 1742201 net standard openssh_8.4p1.orig.tar.gz
 715c219a524631139bafa8a351cf44e7 683 net standard openssh_8.4p1.orig.tar.gz.asc
 90e3da465d87838658dd0182fef0ac37 186600 net standard openssh_8.4p1-5+deb11u3.debian.tar.xz
 c708cb4dbf3750cd26e9947a6ac46bbf 15881 net standard openssh_8.4p1-5+deb11u3_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEErApP8SYRtvzPAcEROTWH2X2GUAsFAmWEY3cACgkQOTWH2X2G
UAs8oxAAnXSa+RaCXtrv0EQ2EzahvsS77KE6gfOixdMvesNcdvaxmBkBWychIdmI
bHZCgcvpNiaNFoWlruiEQ3rfk5ePMuuAggWwbmQbZFLKpWoR4gnWQiw1AoVX5hvT
YVB/U/zwxBP9n/4/MlY6iUtXqprZwdfpOwIPM//8RVCIV7zDwRhVg30nE3JN1AXz
sUvMmKN8husaN6FxPq65W8owrOYniMPlqkaoVFQfufMzuErv6Nrulu0UQVIJaABo
CgbDSqHZc1XW6EuGZvHHzWcTTFee8osSJk/EDGGFxIxxl/jqqMyZvTgSZkxh9qbR
s8KiTLnA8DxD+B/6+mB3BC+ilZY0dsBW8tTLHR2uwBuFQxorGsaKlp+mJroPkXay
3CtRiyGVztYmYrGk8D90HC/+SXqcYZullGkfukQe0YtEU8Iidor7ysIuUH0jjXQV
cXaNbIqvPAq2jHmSYLuH9cDvGKUKFVhq/3Y8TLVr0VjHCvQNqJiAlXkDqSuVNyHN
CSQo8t8KZiuQySQqCm2vRud6sPVPTw6xWUB7lAaMc6Hyb/ydnysngTQE4wbxvZO6
WJHFZMncbej8+KbEKRZn58XxPqHaBAYPVjf54KZYX2kDHC6eTuIZih9QnvJfL6pC
EzXwYVAEoUodkJ6sSNTgUNWbDNZZR1zwJ+/oInqGJmERj2f3zDA=
=ywNQ
-----END PGP SIGNATURE-----

--- End Message ---