Bug 31001

Summary: openssh new security issues fixed upstream in 9.1p1, 9.3p1, and 9.3p2 (CVE-2023-38408)
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: Guillaume Rousse <guillomovitch>
Status: RESOLVED WONTFIX QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: bruno
Version: Cauldron   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8TOO
Source RPM: openssh-8.4p1-2.2.mga8.src.rpm CVE:
Status comment:
Bug Depends on: 32704    
Bug Blocks:    

Description David Walser 2022-10-21 20:20:51 CEST 
OpenSSH 9.1 has been released on October 4:
https://www.openssh.com/txt/release-9.1

It fixes three security issues, two of which may affect Mageia 8.
David Walser 2022-10-21 20:20:56 CEST

Whiteboard: (none) => MGA8TOO

Comment 1 Bruno Cornec 2022-11-21 23:58:52 CET 
Working on modifying all the patches.

Status: NEW => ASSIGNED
CC: (none) => bruno

Comment 2 Bruno Cornec 2022-11-22 00:39:57 CET 
Just pushed 9.1 to cauldron. I had to adapt some patches, remove some others including one conflictingm so it may change th way it works. Should be tested by cauldron users to verify it works as expected.
Comment 3 Bruno Cornec 2022-11-22 00:41:47 CET 
FTR that version doesn't build on mga8 with errors linked to the version of openssl used (1.1.1q not providing EVP_PKEY_CTX_new_from_name).

Someone with more knoledge should work on a fix if we wnt a backport.
Comment 4 David Walser 2022-11-22 00:54:20 CET 
openssh-9.1p1-1.mga9 uploaded for Cauldron by Bruno.

Version: Cauldron => 8
Whiteboard: MGA8TOO => (none)
Source RPM: openssh-9.0p1-1.mga9.src.rpm => openssh-8.4p1-2.2.mga8.src.rpm

Comment 5 David Walser 2023-03-16 17:14:38 CET 
OpenSSH 9.3 has been released on March 15:
https://www.openwall.com/lists/oss-security/2023/03/15/8

It fixes two more security issues.

Version: 8 => Cauldron
Summary: openssh new security issues fixed upstream in 9.1p1 => openssh new security issues fixed upstream in 9.1p1 and 9.3p1

David Walser 2023-03-16 17:15:48 CET

Whiteboard: (none) => MGA8TOO

Comment 6 Guillaume Rousse 2023-03-16 19:40:53 CET 
Our current package currently have 43 patches applied, making quite difficult to follow upstream release pace. And for some unknown reason, Fedora seems currently stuck with version 9.0:
https://src.fedoraproject.org/rpms/openssh/
Comment 7 David Walser 2023-07-24 23:11:15 CEST 
(In reply to David Walser from comment #5)
> OpenSSH 9.3 has been released on March 15:
> https://www.openwall.com/lists/oss-security/2023/03/15/8
> 
> It fixes two more security issues.

Release notes:
https://www.openssh.com/txt/release-9.3

Now 9.3p2 has been released, fixing a new security issue:
https://www.openwall.com/lists/oss-security/2023/07/19/8
https://www.openwall.com/lists/oss-security/2023/07/19/9
https://www.openssh.com/txt/release-9.3p2
https://www.openssh.com/security.html

Summary: openssh new security issues fixed upstream in 9.1p1 and 9.3p1 => openssh new security issues fixed upstream in 9.1p1, 9.3p1, and 9.3p2 (CVE-2023-38408)

Comment 8 Bruno Cornec 2023-11-24 03:07:46 CET 
We should incite people to move to mga9 updated wrt this security issue.

Resolution: (none) => WONTFIX
Status: ASSIGNED => RESOLVED

Nicolas Salguero 2024-01-12 11:42:55 CET

Depends on: (none) => 32704