Bug#1102603: marked as done (openssh: CVE-2025-32728)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Fri, 11 Apr 2025 15:39:37 +0000
with message-id <E1u3GTh-004mwN-GZ@fasolo.debian.org>
and subject line Bug#1102603: fixed in openssh 1:10.0p1-1
has caused the Debian Bug report #1102603,
regarding openssh: CVE-2025-32728
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1102603: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1102603
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: openssh: CVE-2025-32728
• From: Salvatore Bonaccorso <carnil@debian.org>
• Date: Thu, 10 Apr 2025 22:20:44 +0200
• Message-id: <[🔎] 174431644435.3465326.3124707217542544007.reportbug@eldamar.lan>

Source: openssh
Version: 1:7.4p1-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerability was published for openssh.

CVE-2025-32728[0]:
| In sshd in OpenSSH before 10.0, the DisableForwarding directive does
| not adhere to the documentation stating that it disables X11 and
| agent forwarding.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-32728
    https://www.cve.org/CVERecord?id=CVE-2025-32728
[1] https://github.com/openssh/openssh-portable/commit/fc86875e6acb36401dfc1dfb6b628a9d1460f367
[2] https://lists.mindrot.org/pipermail/openssh-unix-dev/2025-April/041879.html

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

• To: 1102603-close@bugs.debian.org
• Subject: Bug#1102603: fixed in openssh 1:10.0p1-1
• From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
• Date: Fri, 11 Apr 2025 15:39:37 +0000
• Message-id: <E1u3GTh-004mwN-GZ@fasolo.debian.org>
• Reply-to: Colin Watson <cjwatson@debian.org>

Source: openssh
Source-Version: 1:10.0p1-1
Done: Colin Watson <cjwatson@debian.org>

We believe that the bug you reported is fixed in the latest version of
openssh, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1102603@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Colin Watson <cjwatson@debian.org> (supplier of updated openssh package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 11 Apr 2025 16:00:55 +0100
Source: openssh
Architecture: source
Version: 1:10.0p1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Closes: 1102603
Changes:
 openssh (1:10.0p1-1) unstable; urgency=medium
 .
   [ Luca Boccassi ]
   * Add COLORTERM NO_COLOR to SendEnv and AcceptEnv.
 .
   [ Colin Watson ]
   * New upstream release:
     - This release removes support for the weak DSA signature algorithm.
     - scp(1), sftp(1): pass "ControlMaster no" to ssh when invoked by scp &
       sftp.
     - This release has the version number 10.0 and announces itself as
       "SSH-2.0-OpenSSH_10.0". Software that naively matches versions using
       patterns like "OpenSSH_1*" may be confused by this.
     - sshd(8): this release removes the code responsible for the user
       authentication phase of the protocol from the per-connection
       sshd-session binary to a new sshd-auth binary. Splitting this code
       into a separate binary ensures that the crucial pre-authentication
       attack surface has an entirely disjoint address space from the code
       used for the rest of the connection. It also yields a small runtime
       memory saving as the authentication code will be unloaded after the
       authentication phase completes. This change should be largely
       invisible to users, though some log messages may now come from
       "sshd-auth" instead of "sshd-session".
     - sshd(8): this release disables finite field (a.k.a modp)
       Diffie-Hellman key exchange in sshd by default. Specifically, this
       removes the "diffie-hellman-group*" and
       "diffie-hellman-group-exchange-*" methods from the default
       KEXAlgorithms list. The client is unchanged and continues to support
       these methods by default.
     - sshd(8): this release removes the implicit fallback to compiled-in
       groups for Diffie-Hellman Group Exchange KEX when the moduli file
       exists but does not contain moduli within the client-requested range.
       The fallback behaviour remains for the case where the moduli file does
       not exist at all. This allows administrators more explicit control
       over which DH groups will be selected, but can lead to connection
       failures if the moduli file is edited incorrectly.
     - CVE-2025-32728: sshd(8): fix the DisableForwarding directive, which
       was failing to disable X11 forwarding and agent forwarding as
       documented (closes: #1102603). X11 forwarding is disabled by default
       in the server and agent forwarding is off by default in the client.
     - ssh(1): the hybrid post-quantum algorithm mlkem768x25519-sha256 is now
       used by default for key agreement. This algorithm is considered to be
       safe against attack by quantum computers, is guaranteed to be no less
       strong than the popular curve25519-sha256 algorithm, has been
       standardised by NIST and is considerably faster than the previous
       default.
     - ssh(1): prefer AES-GCM to AES-CTR mode when selecting a cipher for the
       connection. The default cipher preference list is now
       Chacha20/Poly1305, AES-GCM (128/256) followed by AES-CTR
       (128/192/256).
     - ssh(1): add %-token and environment variable expansion to the
       ssh_config SetEnv directive.
     - ssh(1): allow %-token and environment variable expansion in the
       ssh_config User directive, with the exception of %r and %C which would
       be self-referential.
     - ssh(1), sshd(8): add "Match version" support to ssh_config and
       sshd_config. Allows matching on the local version of OpenSSH, e.g.
       "Match version OpenSSH_10.*".
     - ssh(1): add support for "Match sessiontype" to ssh_config. Allows
       matching on the type of session initially requested, either "shell"
       for interactive sessions, "exec" for command execution sessions,
       "subsystem" for subsystem requests, such as sftp, or "none" for
       transport/forwarding-only sessions.
     - ssh(1): add support for "Match command ..." support to ssh_config,
       allowing matching on the remote command as specified on the
       command-line.
     - ssh(1): allow 'Match tagged ""' and 'Match command ""' to match empty
       tag and command values respectively.
     - sshd(8): allow glob(3) patterns to be used in sshd_config
       AuthorizedKeysFile and AuthorizedPrincipalsFile directives.
     - sshd(1): support the VersionAddendum in the client, mirroring the
       option of the same name in the server.
     - ssh-agent(1): the agent will now delete all loaded keys when signaled
       with SIGUSR1. This allows deletion of keys without having access to
       $SSH_AUTH_SOCK.
     - Portable OpenSSH, ssh-agent(1): support systemd-style socket
       activation in ssh-agent using the LISTEN_PID/LISTEN_FDS mechanism.
       Activated when these environment variables are set, the agent is
       started with the -d or -D option and no socket path is set.
     - ssh-keygen(1): support FIDO tokens that return no attestation data,
       e.g. recent WinHello.
     - ssh-agent(1): add a "-Owebsafe-allow=..." option to allow the default
       FIDO application ID allow-list to be overridden.
     - ssh-keygen(1): allow "-" as output file for moduli screening.
     - sshd(8): remove assumption that the sshd_config and any configs it
       includes can fit in a (possibly enlarged) socket buffer. Previously it
       was possible to create a sufficiently large configuration that could
       cause sshd to fail to accept any connection. sshd(8) will now actively
       manage sending its config to the sshd-session sub-process.
     - ssh(1): don't start the ObscureKeystrokeTiming mitigations if there
       has been traffic on a X11 forwarding channel recently. Should fix X11
       forwarding performance problems when this setting is enabled.
     - ssh(1): prohibit the comma character in hostnames accepted, but allow
       an underscore as the first character in a hostname.
     - sftp(1): set high-water when resuming a "put". Prevents bogus "server
       reordered acks" debug message.
     - ssh(1), sshd(8): fix regression in openssh-9.8, which would fail to
       accept "Match criteria=argument" as well as the documented "Match
       criteria argument" syntax in ssh_config and sshd_config.
     - sftp(1), ssh(1): fix a number of possible NULL dereference bugs,
       including Coverity CIDs 405019 and 477813.
     - sshd(8): fix PerSourcePenalty incorrectly using "crash" penalty when
       LoginGraceTime was exceeded.
     - sshd(8): fix "Match invalid-user" from incorrectly being activated in
       initial configuration pass when no other predicates were present on
       the match line.
     - sshd(8): fix debug logging of user specific delay.
     - sshd(8): improve debug logging across sub-process boundaries.
       Previously some log messages were lost early in the sshd-auth and
       sshd-session processes' life.
     - ssh(1): require control-escape character sequences passed via the '-e
       ^x' command-line to be exactly two characters long. Avoids one byte
       out-of-bounds read if ssh is invoked as "ssh -e^ ...".
     - ssh(1), sshd(8): prevent integer overflow in x11 port handling. These
       are theoretically possible if the admin misconfigured X11DisplayOffset
       or the user misconfigures their own $DISPLAY, but don't happen in
       normal operation.
     - ssh-keygen(1): don't mess up ssh-keygen -l output when the file
       contains CR characters.
     - sshd(8): add rate limits to logging of connections dropped by
       PerSourcePenalties. Previously these could be noisy in logs.
     - ssh(1): fix argument of "Compression" directive in ssh -G config dump,
       which regressed in openssh-9.8.
     - sshd(8): fix a corner-case triggered by UpdateHostKeys when sshd
       refuses to accept the signature returned by an agent holding host keys
       during the hostkey rotation sub-protocol. This situation could occur
       in situations where a PKCS#11 smartcard that lacked support for
       particular signature algorithms was used to store host keys.
     - ssh-keygen(1): when using RSA keys to sign messages with "ssh-keygen
       -Y", select the signature algorithm based on the requested hash
       algorithm ("-Ohashalg=xxx"). This allows using something other than
       the default of rsa-sha2-512, which may not be supported on all signing
       backends, e.g. some smartcards only support SHA256.
     - sshd(8): add wtmpdb support as a Y2038 safe wtmp replacement.
     - sshd(8): add support for locking sshd into memory, enabled with the
       --with-linux-memlock-onfault configure flag.
   * Configure --with-linux-memlock-onfault on Linux.
Checksums-Sha1:
 7450c75c7c6136292c56fed4364a88704c3d606e 3476 openssh_10.0p1-1.dsc
 ac4205e827aea383bf316a33a0e2d5b66b85fcf8 1972675 openssh_10.0p1.orig.tar.gz
 9623202a5dd2cee22dc5bdbe73144d15730b1f97 833 openssh_10.0p1.orig.tar.gz.asc
 9f1092fe28cfcbb4a7ecdf2d64f36715ba9ce6d4 198240 openssh_10.0p1-1.debian.tar.xz
Checksums-Sha256:
 4b7fc8dc2e4d6146431e598709c05f5704bae82c4502da2e315b9e6af8d9a20b 3476 openssh_10.0p1-1.dsc
 021a2e709a0edf4250b1256bd5a9e500411a90dddabea830ed59cef90eb9d85c 1972675 openssh_10.0p1.orig.tar.gz
 f71cf3240516ce59c2240532143982fcd97e2e286e6eb1eb6c3080a1ec012a04 833 openssh_10.0p1.orig.tar.gz.asc
 cf32ccae72b07ea87088a8197e9a86c053ace339c0cb0113bb0182a3f3d597b1 198240 openssh_10.0p1-1.debian.tar.xz
Files:
 c20cfc9e2450d5569979c90c658cfd74 3476 net standard openssh_10.0p1-1.dsc
 689148621a2eaa734497b12bed1c5202 1972675 net standard openssh_10.0p1.orig.tar.gz
 1c0cb23a67bd4e5d25a8dc423ed65a5e 833 net standard openssh_10.0p1.orig.tar.gz.asc
 3164cf6c63be6c0dc6155f10419c442a 198240 net standard openssh_10.0p1-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEErApP8SYRtvzPAcEROTWH2X2GUAsFAmf5LswACgkQOTWH2X2G
UAsM5RAAr4tOqhY+GoeXQ25AadHbU6TueY5e66GRhkvxwDAGlEMK5eRUkKO7GPkX
KiNXpyatEjxWsus0CevKnFbKLfkmRJAH5ierggNh1CZ85AZxFMJ73dC7uxWMdI8k
NSrNVLaln3mm5v3yfUqpVubncxo91Kl2f9GqKGuaMgwe7jees7100EBwPtaNO01K
fcwdz/38MHEaGqTjk4M0z18PgUiSIDAY/I3xJeHqGPo0JqESCh7D4bFCUmZM2sSN
XHmg5gFNsf4V0lANJxY8CXcRL2DqcwjIZdp3Dcosatm1Rzn9CHPIydngAF5ifuJp
8M7MTSUPYFk0q0EMzvDFFZdiwKRVrfKJXDBV0zV1jf91a/37ghl/SP2tUaMIJOXe
HsmfEItiCUAXLomrrQeUkt2dGC7oSf4wS60ejxU0wj2jwH/P9u9pI0AjCTLwxnA+
LkYKTPCzldJyhDRg0/5eo1pqJCt+nSFxah7n3ujfSo/5+n9gxs0BuBt5zMex6g6p
tHTqRSxvLVxH5JIfzg/d2WRnA+SY8SqVds1bzHWYf2FV9inhDMPyKS6FDH57T2SK
qiudBBfJcZ2pSWS4VkKDYYJHlfzMFKwk8BVqiL07ysn4zm05vvJODrxTvb0fg651
wjI7GpdmiOHVe7m+rwjJKQBQ5Y7N1qm1Mo+AzClRvLw/DV40NwY=
=zVcb
-----END PGP SIGNATURE-----

Attachment: pgpkqzsVQmYkM.pgp
Description: PGP signature

--- End Message ---