Univention Bugzilla – Bug 56940
openssh: Multiple issues (5.0)
Last modified: 2023-12-27 15:44:11 CET
New Debian openssh 1:7.9p1-10+deb10u4 fixes: This update addresses the following issues: 1:7.9p1-10+deb10u4 (Sun, 24 Dec 2023 15:39:13 -0500) * Non-maintainer upload by the LTS Team. * Rename debian/.gitlab-ci.yml to debian/salsa-ci.yml and use lts-team/pipeline recipe for buster in it. * [CVE-2023-48795] ssh(1), sshd(8): implement protocol extensions to thwart the so-called "Terrapin attack" discovered by Fabian Bäumer, Marcus Brinkmann and Jörg Schwenk. This attack allows a MITM to effect a limited break of the integrity of the early encrypted SSH transport protocol by sending extra messages prior to the commencement of encryption, and deleting an equal number of consecutive messages immediately after encryption starts. A peer SSH client/server would not be able to detect that messages were deleted. * [CVE-2023-51385] ssh(1): if an invalid user or hostname that contained shell metacharacters was passed to ssh(1), and a ProxyCommand, LocalCommand directive or "match exec" predicate referenced the user or hostname via %u, %h or similar expansion token, then an attacker who could supply arbitrary user/hostnames to ssh(1) could potentially perform command injection depending on what quoting was present in the user-supplied ssh_config(5) directive. ssh(1) now bans most shell metacharacters from user and hostnames supplied via the command-line. * [CVE-2021-41617]: sshd(8) from OpenSSH 6.2 through 8.7 failed to correctly initialise supplemental groups when executing an AuthorizedKeysCommand or AuthorizedPrincipalsCommand, where a AuthorizedKeysCommandUser or AuthorizedPrincipalsCommandUser directive has been set to run the command as a different user. Instead these commands would inherit the groups that sshd(8) was started with .
--- mirror/ftp/pool/main/o/openssh/openssh_7.9p1-10+deb10u3.dsc +++ apt/ucs_5.0-0-errata5.0-6/source/openssh_7.9p1-10+deb10u4.dsc @@ -1,3 +1,32 @@ +1:7.9p1-10+deb10u4 [Sun, 24 Dec 2023 15:39:13 -0500] Santiago Ruano Rincón <santiago@freexian.com>: + + * Non-maintainer upload by the LTS Team. + * Rename debian/.gitlab-ci.yml to debian/salsa-ci.yml and use + lts-team/pipeline recipe for buster in it. + * [CVE-2023-48795] ssh(1), sshd(8): implement protocol extensions to + thwart the so-called "Terrapin attack" discovered by Fabian Bäumer, + Marcus Brinkmann and Jörg Schwenk. This attack allows a MITM to effect + a limited break of the integrity of the early encrypted SSH transport + protocol by sending extra messages prior to the commencement of + encryption, and deleting an equal number of consecutive messages + immediately after encryption starts. A peer SSH client/server would + not be able to detect that messages were deleted. + * [CVE-2023-51385] ssh(1): if an invalid user or hostname that contained + shell metacharacters was passed to ssh(1), and a ProxyCommand, + LocalCommand directive or "match exec" predicate referenced the user + or hostname via %u, %h or similar expansion token, then an attacker + who could supply arbitrary user/hostnames to ssh(1) could potentially + perform command injection depending on what quoting was present in the + user-supplied ssh_config(5) directive. ssh(1) now bans most shell + metacharacters from user and hostnames supplied via the command-line. + * [CVE-2021-41617]: sshd(8) from OpenSSH 6.2 through 8.7 failed to + correctly initialise supplemental groups when executing an + AuthorizedKeysCommand or AuthorizedPrincipalsCommand, where a + AuthorizedKeysCommandUser or AuthorizedPrincipalsCommandUser directive + has been set to run the command as a different user. Instead these + commands would inherit the groups that sshd(8) was started with + (closes: #995130). + 1:7.9p1-10+deb10u3 [Wed, 29 Mar 2023 11:02:23 +0200] Utkarsh Gupta <utkarsh@debian.org>: * Non-maintainer upload. <http://piuparts.knut.univention.de/5.0-6/#4439644685939867026>
OK: bug OK: yaml OK: announce_errata OK: patch OK: piuparts Verified
<https://errata.software-univention.de/#/?erratum=5.0x906>