Announce: OpenSSH 9.3p2 released

Corinna Vinschen vinschen at redhat.com
Thu Jul 20 20:18:15 AEST 2023


Hi Damien,

Can you please add a V_9_3_P2 tag?


Thanks,
Corinna


On Jul 19 08:40, Damien Miller wrote:
> OpenSSH 9.3p2 has just been released. It will be available from the
> mirrors listed at https://www.openssh.com/ shortly.
> 
> OpenSSH is a 100% complete SSH protocol 2.0 implementation and
> includes sftp client and server support.
> 
> Once again, we would like to thank the OpenSSH community for their
> continued support of the project, especially those who contributed
> code or patches, reported bugs, tested snapshots or donated to the
> project. More information on donations may be found at:
> https://www.openssh.com/donations.html
> 
> Changes since OpenSSH 9.3
> =========================
> 
> This release fixes a security bug.
> 
> Security
> ========
> 
> Fix CVE-2023-38408 - a condition where specific libaries loaded via
> ssh-agent(1)'s PKCS#11 support could be abused to achieve remote
> code execution via a forwarded agent socket if the following
> conditions are met:
> 
> * Exploitation requires the presence of specific libraries on
>   the victim system.
> * Remote exploitation requires that the agent was forwarded
>   to an attacker-controlled system.
> 
> Exploitation can also be prevented by starting ssh-agent(1) with an
> empty PKCS#11/FIDO allowlist (ssh-agent -P '') or by configuring
> an allowlist that contains only specific provider libraries.
> 
> This vulnerability was discovered and demonstrated to be exploitable
> by the Qualys Security Advisory team. 
>  
> In addition to removing the main precondition for exploitation,
> this release removes the ability for remote ssh-agent(1) clients
> to load PKCS#11 modules by default (see below).
> 
> Potentially-incompatible changes
> --------------------------------
> 
>  * ssh-agent(8): the agent will now refuse requests to load PKCS#11
>    modules issued by remote clients by default. A flag has been added
>    to restore the previous behaviour "-Oallow-remote-pkcs11".
> 
>    Note that ssh-agent(8) depends on the SSH client to identify
>    requests that are remote. The OpenSSH >=8.9 ssh(1) client does
>    this, but forwarding access to an agent socket using other tools
>    may circumvent this restriction.
> 
> Checksums:
> ==========
> 
> - SHA1 (openssh-9.3p2.tar.gz) = 219cf700c317f400bb20b001c0406056f7188ea4
> - SHA256 (openssh-9.3p2.tar.gz) = IA6+FH9ss/EB/QzfngJEKvfdyimN/9n0VoeOfMrGdug=
> 
> Please note that the SHA256 signatures are base64 encoded and not
> hexadecimal (which is the default for most checksum tools). The PGP
> key used to sign the releases is available from the mirror sites:
> https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc
> 
> Reporting Bugs:
> ===============
> 
> - Please read https://www.openssh.com/report.html
>   Security bugs should be reported directly to openssh at openssh.com
> 
> 

> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



More information about the openssh-unix-dev mailing list