[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1042460: marked as done (openssh-client: ssh-agent CVE-2023-38408)

Your message dated Sun, 24 Sep 2023 19:47:11 +0000
with message-id <E1qkV4R-000QNh-0t@fasolo.debian.org>
and subject line Bug#1042460: fixed in openssh 1:9.2p1-2+deb12u1
has caused the Debian Bug report #1042460,
regarding openssh-client: ssh-agent CVE-2023-38408
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1042460: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1042460
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: openssh-client
Version: 1:8.4p1-5+deb11u1
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: mnalis-debianbug@voyager.hr, Debian Security Team <team@security.debian.org>


"The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an
insufficiently trustworthy search path, leading to remote code execution if
an agent is forwarded to an attacker-controlled system."

While it does not affect all users of ssh-agent, it does affect many of them
and commonly suggested workaround (using jumphosts instead of agent forwarding)
is not applicable to many use cases (git push over ssh, using
libpam-ssh-agent-auth, etc.)

https://security-tracker.debian.org/tracker/CVE-2023-38408 indicates that
the new fixed version 1:9.3p2-1 has been uploaded in sid and trixie, however
bookworm (stable) and bullseye (oldstable) still have no security fix since 
CVE release on 2023-07-20.

(workaround by pinning fixed version from trixie is not possible, due to
significant libraries clash; and there are no Debian backports either)

-- System Information:
Debian Release: 11.7
  APT prefers oldstable-updates
  APT policy: (500, 'oldstable-updates'), (500, 'oldstable-security'), (500, 'oldstable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-23-amd64 (SMP w/1 CPU thread)
Locale: LANG=C, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

Versions of packages openssh-client depends on:
ii  adduser           3.118
ii  dpkg              1.20.12
ii  libc6             2.31-13+deb11u6
ii  libedit2          3.1-20210910-1
ii  libfido2-1        1.6.0-2
ii  libgssapi-krb5-2  1.18.3-6+deb11u3
ii  libselinux1       3.1-3
ii  libssl1.1         1.1.1n-0+deb11u5
ii  passwd            1:4.8.1-1
ii  zlib1g            1:1.2.11.dfsg-2+deb11u2

Versions of packages openssh-client recommends:
pn  xauth  <none>

Versions of packages openssh-client suggests:
pn  keychain      <none>
pn  libpam-ssh    <none>
pn  monkeysphere  <none>
pn  ssh-askpass   <none>

-- no debconf information

--- End Message ---
--- Begin Message --- 
Source: openssh
Source-Version: 1:9.2p1-2+deb12u1
Done: Colin Watson <cjwatson@debian.org>

We believe that the bug you reported is fixed in the latest version of
openssh, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1042460@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Colin Watson <cjwatson@debian.org> (supplier of updated openssh package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 23 Sep 2023 23:11:33 +0100
Source: openssh
Architecture: source
Version: 1:9.2p1-2+deb12u1
Distribution: bookworm
Urgency: medium
Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Closes: 1042460
Changes:
 openssh (1:9.2p1-2+deb12u1) bookworm; urgency=medium
 .
   * Cherry-pick from OpenSSH 9.3p2:
     - [CVE-2023-38408] Fix a condition where specific libraries loaded via
       ssh-agent(1)'s PKCS#11 support could be abused to achieve remote code
       execution via a forwarded agent socket (closes: #1042460).
Checksums-Sha1:
 bec06185ba96f1bd9d2196811969c51fc6210516 3352 openssh_9.2p1-2+deb12u1.dsc
 29179a345fc4b31133e212c8dcb9499807957bb4 184920 openssh_9.2p1-2+deb12u1.debian.tar.xz
Checksums-Sha256:
 908406c2173d3bf99d0283606c841f08f48d9533b27aeab689b9c454b28e535c 3352 openssh_9.2p1-2+deb12u1.dsc
 416584c486be53038afa618d8bd6605a6d0b54706ea89a911b3d4b8e0abfc3f8 184920 openssh_9.2p1-2+deb12u1.debian.tar.xz
Files:
 d7947ab3a7f20ca168e65aa93e601ac8 3352 net standard openssh_9.2p1-2+deb12u1.dsc
 a3bc2d1eceb611608505ecea4cb84a0e 184920 net standard openssh_9.2p1-2+deb12u1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEErApP8SYRtvzPAcEROTWH2X2GUAsFAmUPYsoACgkQOTWH2X2G
UAvZ0A/9FqmBbxiskM9InH3Zvf7fmIABhAHWwudauK+qsaxTJGgC+I0V33kPl7L5
eOQo808LIEv99485sNxJFni1KXV1lMy9wwJ9kw8Clc5i7OFKaNLfO6WpD98CAXh6
AId6n6fsrolYafiuIcDU4YWpflGdBdtEJvrT3WCcOJFHgxrJMAmMexDYy8XZcFRn
EVW3fhlOjSJIJL8fgFuHbPlbO6Gvwr/lwwU0Sjik6LSDOS1KatUwtYu9NLPNRBRr
MshIScga74hLqM62SpQ/YEl88FYgPBs9Q7BmidPVfLwzVtLhoFbVa+G7fiOYyKa/
rTB+v3LXVmfd6QvJqlJViUbcLYysZXFHWUF8dpwMqmrU23AIHYRT1gLphrJ5AgMv
YfPd3//3ebOHQS9FrD4pjuREBztJoh84rCN5gFdiVt8wUl2rwMK5LV3LQapf9Y2C
UHDHZ6HQjznN8CX6qgXY5D+LQjpu4PMANlAfCQw/gVohe/8LR1tEIvV58vYiqJCD
XC/Tb+CygbW1/XAcOZAvLsfuBb1fK+B43pA517hHyd6Wez4hy3PWWiN7x0kmSPbS
VnmoQ2LgxfsotKNdJ5R0lXLKfCpNvR2xOfY27koMKq8uI5ZLpMbvVITV5T0tFOJm
mSpF8lNU3GbJ0PcSGADwYCSrPSTiV9SvJV2oJ0+PYFHtOiXpO+A=
=znYS
-----END PGP SIGNATURE-----

--- End Message ---
Reply to: