• [SECURITY] [DSA 5586-1] openssh security update

    From Salvatore Bonaccorso@21:1/5 to All on Fri Dec 22 10:10:01 2023
    Hash: SHA512

    - ------------------------------------------------------------------------- Debian Security Advisory DSA-5586-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso December 22, 2023 https://www.debian.org/security/faq
    - -------------------------------------------------------------------------

    Package : openssh
    CVE ID : CVE-2021-41617 CVE-2023-28531 CVE-2023-48795 CVE-2023-51384
    Debian Bug : 995130 1033166

    Several vulnerabilities have been discovered in OpenSSH, an
    implementation of the SSH protocol suite.


    It was discovered that sshd failed to correctly initialise
    supplemental groups when executing an AuthorizedKeysCommand or
    AuthorizedPrincipalsCommand, where a AuthorizedKeysCommandUser or
    AuthorizedPrincipalsCommandUser directive has been set to run the
    command as a different user. Instead these commands would inherit
    the groups that sshd was started with.


    Luci Stanescu reported that a error prevented constraints being
    communicated to the ssh-agent when adding smartcard keys to the
    agent with per-hop destination constraints, resulting in keys being
    added without constraints.


    Fabian Baeumer, Marcus Brinkmann and Joerg Schwenk discovered that
    the SSH protocol is prone to a prefix truncation attack, known as
    the "Terrapin attack". This attack allows a MITM attacker to effect
    a limited break of the integrity of the early encrypted SSH
    transport protocol by sending extra messages prior to the
    commencement of encryption, and deleting an equal number of
    consecutive messages immediately after encryption starts.

    Details can be found at https://terrapin-attack.com/


    It was discovered that when PKCS#11-hosted private keys were
    added while specifying destination constraints, if the PKCS#11
    token returned multiple keys then only the first key had the
    constraints applied.


    It was discovered that if an invalid user or hostname that contained
    shell metacharacters was passed to ssh, and a ProxyCommand,
    LocalCommand directive or "match exec" predicate referenced the user
    or hostname via expansion tokens, then an attacker who could supply
    arbitrary user/hostnames to ssh could potentially perform command
    injection. The situation could arise in case of git repositories
    with submodules, where the repository could contain a submodule with
    shell characters in its user or hostname.

    For the oldstable distribution (bullseye), these problems have been fixed
    in version 1:8.4p1-5+deb11u3.

    For the stable distribution (bookworm), these problems have been fixed in version 1:9.2p1-2+deb12u2.

    We recommend that you upgrade your openssh packages.

    For the detailed security status of openssh please refer to its security tracker page at:

    Further information about Debian Security Advisories, how to apply
    these updates to your system and frequently asked questions can be
    found at: https://www.debian.org/security/

    Mailing list: debian-security-announce@lists.debian.org

    iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmWFTwlfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0S6PRAAkBJzc/CFQgXLtms7bom/Vw750vvqEVhj7ojOPHbmpoppVIjFR768C5Z6 AO5HiP/uH1tk0x2zejbPhXRgLK/2PEuCTA/4w7UeTzYIGve3IVKVgNs+/sgWQBuK M1xj8zL1PLkRi6rSXAvGpTxqdCtWC61AWHOl1Q03w3usilETJKDsulOBb9sQ9Uid xSRxDUAS//gyRdW+K3D9HsPYJAW/oSu4tJO+UXI1WJTDY1N/i0cq7yH16YXzbEcV dhttLyR5fWx000fSsaaWXgYUS2sSYUfOKPfw4xdePpdeBYNumnpehjfCED5C61EQ os4uvEDi15X8M599/+u0oLVJJFXVSfZ4W1ecFWcFAvMny70F0s1a7AxQCcN3sXkt kLAuOXJHmmhBeqSj1kVKoLcg4WSlCdglRr6KgiXqUVvfUBsWhseoyGJ3jST3PQcZ 70/lIJofavLJdFQHlPTXs7lDnFttgzuB3xE5wM7TeXs5L2l9QI0W64YCtWthqApL c7KjPGmAx7xYOOp+aHclsP74nBVZs6tcvHPf9Y/1OK30XkoMbuW0+oH1rCu6EGs0 F6Th1FneTwRN2NEhzpQMr+34m0T8H7oymiQmi9C+ZDhCBDRcpN4sATYNh70Y/t6y i8k/vZcCCfLxQgdiay5JJCWJPf1pvvmPbgMLs4WVELr/6E9xIR0=
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)