Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package openssh for openSUSE:Factory checked in at 2023-07-24 18:11:47 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/openssh (Old) and /work/SRC/openSUSE:Factory/.openssh.new.1467 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "openssh" Mon Jul 24 18:11:47 2023 rev:165 rq:1099856 version:9.3p2 Changes: -------- --- /work/SRC/openSUSE:Factory/openssh/openssh-askpass-gnome.changes 2023-06-06 19:55:08.426075279 +0200 +++ /work/SRC/openSUSE:Factory/.openssh.new.1467/openssh-askpass-gnome.changes 2023-07-24 18:11:52.629179853 +0200 @@ -1,0 +2,7 @@ +Fri Jul 21 05:13:56 UTC 2023 - Simon Lees <[email protected]> + +- Update to openssh 9.3p2 + * No changes for askpass, see main package changelog for + details + +------------------------------------------------------------------- --- /work/SRC/openSUSE:Factory/openssh/openssh.changes 2023-06-06 19:55:08.530075896 +0200 +++ /work/SRC/openSUSE:Factory/.openssh.new.1467/openssh.changes 2023-07-24 18:11:52.685180183 +0200 @@ -1,0 +2,41 @@ +Fri Jul 21 02:48:58 UTC 2023 - Simon Lees <[email protected]> + +- Update to openssh 9.3p2 (bsc#1213504, CVE-2023-38408): + Security + ======== + + Fix CVE-2023-38408 - a condition where specific libaries loaded via + ssh-agent(1)'s PKCS#11 support could be abused to achieve remote + code execution via a forwarded agent socket if the following + conditions are met: + + * Exploitation requires the presence of specific libraries on + the victim system. + * Remote exploitation requires that the agent was forwarded + to an attacker-controlled system. + + Exploitation can also be prevented by starting ssh-agent(1) with an + empty PKCS#11/FIDO allowlist (ssh-agent -P '') or by configuring + an allowlist that contains only specific provider libraries. + + This vulnerability was discovered and demonstrated to be exploitable + by the Qualys Security Advisory team. + + In addition to removing the main precondition for exploitation, + this release removes the ability for remote ssh-agent(1) clients + to load PKCS#11 modules by default (see below). + + Potentially-incompatible changes + -------------------------------- + + * ssh-agent(8): the agent will now refuse requests to load PKCS#11 + modules issued by remote clients by default. A flag has been added + to restore the previous behaviour "-Oallow-remote-pkcs11". + + Note that ssh-agent(8) depends on the SSH client to identify + requests that are remote. The OpenSSH >=8.9 ssh(1) client does + this, but forwarding access to an agent socket using other tools + may circumvent this restriction. + + +------------------------------------------------------------------- Old: ---- openssh-9.3p1.tar.gz openssh-9.3p1.tar.gz.asc New: ---- openssh-9.3p2.tar.gz openssh-9.3p2.tar.gz.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ openssh-askpass-gnome.spec ++++++ --- /var/tmp/diff_new_pack.pW1q6I/_old 2023-07-24 18:11:54.105188540 +0200 +++ /var/tmp/diff_new_pack.pW1q6I/_new 2023-07-24 18:11:54.113188586 +0200 @@ -18,7 +18,7 @@ %define _name openssh Name: openssh-askpass-gnome -Version: 9.3p1 +Version: 9.3p2 Release: 0 Summary: A GNOME-Based Passphrase Dialog for OpenSSH License: BSD-2-Clause ++++++ openssh.spec ++++++ --- /var/tmp/diff_new_pack.pW1q6I/_old 2023-07-24 18:11:54.141188751 +0200 +++ /var/tmp/diff_new_pack.pW1q6I/_new 2023-07-24 18:11:54.145188774 +0200 @@ -37,7 +37,7 @@ %define _fillupdir %{_localstatedir}/adm/fillup-templates %endif Name: openssh -Version: 9.3p1 +Version: 9.3p2 Release: 0 Summary: Secure Shell Client and Server (Remote Login Program) License: BSD-2-Clause AND MIT ++++++ openssh-9.3p1.tar.gz -> openssh-9.3p2.tar.gz ++++++ ++++ 2189 lines of diff (skipped)
