Ubuntu has issued an advisory on January 3: https://ubuntu.com/security/notices/USN-6565-1 Mageia 9 is also affected.
Whiteboard: (none) => MGA9TOOCVE: (none) => CVE-2023-51384, CVE-2023-51385Source RPM: (none) => openssh-9.3p1-3.mga10.src.rpm
The Ubuntu link leads to three other CVEs: It was discovered that OpenSSH incorrectly handled supplemental groups when running helper programs for AuthorizedKeysCommand and AuthorizedPrincipalsCommand as a different user. An attacker could possibly use this issue to escalate privileges. This issue only affected Ubuntu 20.04 LTS. (CVE-2021-41617) Patches: upstream: https://github.com/openssh/openssh-portable/commit/f3cbe43e28fe71427d41cfe3a17125b972710455 upstream: https://github.com/openssh/openssh-portable/commit/bf944e3794eff5413f2df1ef37cddf96918c6bde Following the Debian links ended in this commital (same as above?): https://salsa.debian.org/ssh-team/openssh/-/commit/213973a60c9432a8c4ad8aaa8d2dfff3a957fa8e It was discovered that OpenSSH incorrectly added destination constraints when PKCS#11 token keys were added to ssh-agent, contrary to expectations. This issue only affected Ubuntu 22.04 LTS, and Ubuntu 23.04. (CVE-2023-51384) Patches: upstream: https://github.com/openssh/openssh-portable/commit/881d9c6af9da4257c69c327c4e2f1508b2fa754b (V_9_6_P1) It was discovered that OpenSSH incorrectly handled user names or host names with shell metacharacters. An attacker could possibly use this issue to perform OS command injection. (CVE-2023-51385) Patches: upstream: https://github.com/openssh/openssh-portable/commit/7ef3787c84b6b524501211b11a26c742f829af1a (V_9_6_P1) openssh has no evident packager associated, so assigning this globally.
Assignee: bugsquad => pkg-bugsCVE: CVE-2023-51384, CVE-2023-51385 => CVE-2023-51384, CVE-2023-51385, CVE-2021-41617
CVE-2021-41617 is fixed since version 8.8. Suggested advisory: ======================== The updated packages fix security vulnerabilities: The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (CVE-2023-38408) Prefix Truncation Attacks in SSH Specification (Terrapin Attack). (CVE-2023-48795) In ssh-agent in OpenSSH before 9.6, certain destination constraints can be incompletely applied. When destination constraints are specified during addition of PKCS#11-hosted private keys, these constraints are only applied to the first key, even if a PKCS#11 token returns multiple keys. (CVE-2023-51384) In ssh in OpenSSH before 9.6, OS command injection might occur if a user name or host name has shell metacharacters, and this name is referenced by an expansion token in certain situations. For example, an untrusted Git repository can have a submodule with shell metacharacters in a user name or host name. (CVE-2023-51385) References: https://ubuntu.com/security/notices/USN-6565-1 https://bugs.mageia.org/show_bug.cgi?id=32671 https://www.openwall.com/lists/oss-security/2023/12/18/3 https://www.openwall.com/lists/oss-security/2023/12/19/5 https://www.openwall.com/lists/oss-security/2023/12/20/3 https://bugs.mageia.org/show_bug.cgi?id=31001 https://www.openwall.com/lists/oss-security/2023/07/19/8 https://www.openwall.com/lists/oss-security/2023/07/19/9 https://www.openssh.com/txt/release-9.3p2 ======================== Updated packages in core/updates_testing: ======================== openssh-9.3p1-2.1.mga9 openssh-askpass-common-9.3p1-2.1.mga9 openssh-askpass-gnome-9.3p1-2.1.mga9 openssh-clients-9.3p1-2.1.mga9 openssh-keycat-9.3p1-2.1.mga9 openssh-server-9.3p1-2.1.mga9 from SRPM: openssh-9.3p1-2.1.mga9.src.rpm
Blocks: (none) => 31001, 32671CVE: CVE-2023-51384, CVE-2023-51385, CVE-2021-41617 => CVE-2023-51384, CVE-2023-51385Assignee: pkg-bugs => qa-bugsStatus: NEW => ASSIGNEDVersion: Cauldron => 9Source RPM: openssh-9.3p1-3.mga10.src.rpm => openssh-9.3p1-2.mga9.src.rpmWhiteboard: MGA9TOO => (none)
CC: (none) => mageia
Advisory from comment 2 added to SVN. Please remove the "advisory" keyword if it needs to be changed. It also helps when obsolete advisories are tagged as "obsolete"
Summary: openssh new security issues CVE-2023-5138[45] => openssh new security issues CVE-2023-38408, CVE-2023-48795, CVE-2023-5138[45]CC: (none) => marja11Source RPM: openssh-9.3p1-2.mga9.src.rpm => openssh-9.3p1-2.mga9CVE: CVE-2023-51384, CVE-2023-51385 => CVE-2023-38408, CVE-2023-48795, CVE-2023-51384, CVE-2023-51385Keywords: (none) => advisory
Tested in real hardware Mageia 9 x86_64 lxqt Related packages in my system were updated without issues Can make ssh connections to my system Can make ssh connections from my system to remote systems
MGA9-64, Plasma Used ssh ssh-keygen ssh-keyscan sftp working as expected.
Whiteboard: (none) => MGA9-64-OKCC: (none) => brtians1
Validating.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0010.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED