commit amazon-ssm-agent for openSUSE:Factory

Wed, 19 Nov 2025 05:57:28 -0800 

Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package amazon-ssm-agent for 
openSUSE:Factory checked in at 2025-11-19 14:53:46
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/amazon-ssm-agent (Old)
 and      /work/SRC/openSUSE:Factory/.amazon-ssm-agent.new.2061 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "amazon-ssm-agent"

Wed Nov 19 14:53:46 2025 rev:37 rq:1318444 version:3.3.3270.0

Changes:
--------
--- /work/SRC/openSUSE:Factory/amazon-ssm-agent/amazon-ssm-agent.changes        
2025-10-23 16:40:20.213709547 +0200
+++ 
/work/SRC/openSUSE:Factory/.amazon-ssm-agent.new.2061/amazon-ssm-agent.changes  
    2025-11-19 14:57:04.908119447 +0100
@@ -1,0 +2,7 @@
+Tue Nov 18 09:53:32 UTC 2025 - John Paul Adrian Glaubitz 
<[email protected]>
+
+- Add CVE-2025-47913.patch to fix an SSH client process terminating
+  when receiving an unexpected message type in response to a key
+  listing or signing request (bsc#1253611, CVE-2025-47913)
+
+-------------------------------------------------------------------

New:
----
  CVE-2025-47913.patch

----------(New B)----------
  New:
- Add CVE-2025-47913.patch to fix an SSH client process terminating
  when receiving an unexpected message type in response to a key
----------(New E)----------

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ amazon-ssm-agent.spec ++++++
--- /var/tmp/diff_new_pack.MVN4QS/_old  2025-11-19 14:57:07.648235441 +0100
+++ /var/tmp/diff_new_pack.MVN4QS/_new  2025-11-19 14:57:07.648235441 +0100
@@ -24,6 +24,10 @@
 Group:          System/Management
 URL:            https://github.com/aws/amazon-ssm-agent
 Source0:        
https://github.com/aws/amazon-ssm-agent/archive/%{version}.tar.gz#/%{name}-%{version}.tar.gz
+# PATCH-FIX-UPSTREAM - Fix an SSH client process terminating when receiving an 
unexpected
+# message type in response to a key listing or signing request (CVE-2025-47913)
+# Partial patch taken from 
https://cs.opensource.google/go/x/crypto/+/559e062ce8bfd6a39925294620b50906ca2a6f95
+Patch0:         CVE-2025-47913.patch
 BuildRequires:  go >= 1.21
 BuildRequires:  pkgconfig(systemd)
 Requires:       systemd
@@ -95,6 +99,9 @@
 
 %prep
 %setup -q
+pushd vendor/golang.org/x/crypto
+%patch -P0 -p1
+popd
 sed -i -e 's#const[ \s]*Version.*#const Version = "%{version}"#g' 
agent/version/version.go
 sed -i 's#/bin/#/sbin/#' packaging/linux/amazon-ssm-agent.service
 sed -i 's#var defaultWorkerPath = "/usr/bin/"#var defaultWorkerPath = 
"/usr/sbin/"#' agent/appconfig/constants_unix.go

++++++ CVE-2025-47913.patch ++++++
>From 2de8ea5d01b38bc555bc0ea8d00fc701841c571d Mon Sep 17 00:00:00 2001
From: Nicola Murino <[email protected]>
Date: Sun, 31 Aug 2025 20:07:32 +0200
Subject: [PATCH] ssh/agent: return an error for unexpected message types

Previously, receiving an unexpected message type in response to a key
listing or a signing request could cause a panic due to a failed type
assertion.

This change adds a default case to the type switch in order to detect
and explicitly handle unknown or invalid message types, returning a
descriptive error instead of crashing.

Fixes golang/go#75178

Change-Id: Icbc3432adc79fe3c56b1ff23c6724d7a6f710f3a
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/700295
Reviewed-by: Roland Shoemaker <[email protected]>
LUCI-TryBot-Result: Go LUCI 
<[email protected]>
Reviewed-by: Michael Pratt <[email protected]>
Reviewed-by: Jakub Ciolek <[email protected]>
---
 ssh/agent/client.go | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/ssh/agent/client.go b/ssh/agent/client.go
index 37525e1..b357e18 100644
--- a/ssh/agent/client.go
+++ b/ssh/agent/client.go
@@ -430,8 +430,9 @@ func (c *client) List() ([]*Key, error) {
                return keys, nil
        case *failureAgentMsg:
                return nil, errors.New("agent: failed to list keys")
+       default:
+               return nil, fmt.Errorf("agent: failed to list keys, unexpected 
message type %T", msg)
        }
-       panic("unreachable")
 }
 
 // Sign has the agent sign the data using a protocol 2 key as defined
@@ -462,8 +463,9 @@ func (c *client) SignWithFlags(key ssh.PublicKey, data 
[]byte, flags SignatureFl
                return &sig, nil
        case *failureAgentMsg:
                return nil, errors.New("agent: failed to sign challenge")
+       default:
+               return nil, fmt.Errorf("agent: failed to sign challenge, 
unexpected message type %T", msg)
        }
-       panic("unreachable")
 }
 
 // unmarshal parses an agent message in packet, returning the parsed
-- 
2.51.1

Reply via email to