Bug 31001 - openssh new security issues fixed upstream in 9.1p1, 9.3p1, and 9.3p2 (CVE-2023-38408)
Summary: openssh new security issues fixed upstream in 9.1p1, 9.3p1, and 9.3p2 (CVE-20...
Status: RESOLVED WONTFIX
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: Cauldron
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: Guillaume Rousse
QA Contact: Sec team
URL:
Whiteboard: MGA8TOO
Keywords:
Depends on: 32704
Blocks:
  Show dependency treegraph
 
Reported: 2022-10-21 20:20 CEST by David Walser
Modified: 2024-01-12 11:42 CET (History)
1 user (show)

See Also:
Source RPM: openssh-8.4p1-2.2.mga8.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2022-10-21 20:20:51 CEST 
OpenSSH 9.1 has been released on October 4:
https://www.openssh.com/txt/release-9.1

It fixes three security issues, two of which may affect Mageia 8.
David Walser 2022-10-21 20:20:56 CEST

Whiteboard: (none) => MGA8TOO

Comment 1 Bruno Cornec 2022-11-21 23:58:52 CET 
Working on modifying all the patches.

Status: NEW => ASSIGNED
CC: (none) => bruno

Comment 2 Bruno Cornec 2022-11-22 00:39:57 CET 
Just pushed 9.1 to cauldron. I had to adapt some patches, remove some others including one conflictingm so it may change th way it works. Should be tested by cauldron users to verify it works as expected.
Comment 3 Bruno Cornec 2022-11-22 00:41:47 CET 
FTR that version doesn't build on mga8 with errors linked to the version of openssl used (1.1.1q not providing EVP_PKEY_CTX_new_from_name).

Someone with more knoledge should work on a fix if we wnt a backport.
Comment 4 David Walser 2022-11-22 00:54:20 CET 
openssh-9.1p1-1.mga9 uploaded for Cauldron by Bruno.

Version: Cauldron => 8
Whiteboard: MGA8TOO => (none)
Source RPM: openssh-9.0p1-1.mga9.src.rpm => openssh-8.4p1-2.2.mga8.src.rpm

Comment 5 David Walser 2023-03-16 17:14:38 CET 
OpenSSH 9.3 has been released on March 15:
https://www.openwall.com/lists/oss-security/2023/03/15/8

It fixes two more security issues.

Version: 8 => Cauldron
Summary: openssh new security issues fixed upstream in 9.1p1 => openssh new security issues fixed upstream in 9.1p1 and 9.3p1

David Walser 2023-03-16 17:15:48 CET

Whiteboard: (none) => MGA8TOO

Comment 6 Guillaume Rousse 2023-03-16 19:40:53 CET 
Our current package currently have 43 patches applied, making quite difficult to follow upstream release pace. And for some unknown reason, Fedora seems currently stuck with version 9.0:
https://src.fedoraproject.org/rpms/openssh/
Comment 7 David Walser 2023-07-24 23:11:15 CEST 
(In reply to David Walser from comment #5)
> OpenSSH 9.3 has been released on March 15:
> https://www.openwall.com/lists/oss-security/2023/03/15/8
> 
> It fixes two more security issues.

Release notes:
https://www.openssh.com/txt/release-9.3

Now 9.3p2 has been released, fixing a new security issue:
https://www.openwall.com/lists/oss-security/2023/07/19/8
https://www.openwall.com/lists/oss-security/2023/07/19/9
https://www.openssh.com/txt/release-9.3p2
https://www.openssh.com/security.html

Summary: openssh new security issues fixed upstream in 9.1p1 and 9.3p1 => openssh new security issues fixed upstream in 9.1p1, 9.3p1, and 9.3p2 (CVE-2023-38408)

Comment 8 Bruno Cornec 2023-11-24 03:07:46 CET 
We should incite people to move to mga9 updated wrt this security issue.

Resolution: (none) => WONTFIX
Status: ASSIGNED => RESOLVED

Nicolas Salguero 2024-01-12 11:42:55 CET

Depends on: (none) => 32704
Note You need to log in before you can comment on or make changes to this bug.