OpenSSH 9.2 has been announced, fixing a security issue introduced in 9.1: https://www.openwall.com/lists/oss-security/2023/02/02/2 https://www.openwall.com/lists/oss-security/2023/02/02/3
Status comment: (none) => Fixed upstream in 9.2p1
This has a CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25136
Summary: openssh new double free security issue => openssh new double free security issue (CVE-2023-25136)
Hi, openssh-9.1p1-2.mga9 contains an upstream patch that should fix that issue. Best regards, Nico.
CC: (none) => nicolas.salguero
Thanks.
Resolution: (none) => FIXEDStatus: NEW => RESOLVED
Fedora has issued an advisory for this on April 18: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/R7LKQDFZWKYHQ65TBSH2X2HJQ4V2THS3/ Apparently they had backported the introduction of the issue to 8.8p1 so they had to backport the fix. Hopefully we haven't also done the former.
We have version 8.4p1 in Mageia 8, and I can't find any trace of the offending code, so I think it's safe to assume we're not affected.