Package: openssh-client
Version: 1:8.4p1-5+deb11u1
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc:, Debian Security Team 

"The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an
insufficiently trustworthy search path, leading to remote code execution if
an agent is forwarded to an attacker-controlled system."

While it does not affect all users of ssh-agent, it does affect many of them
and commonly suggested workaround (using jumphosts instead of agent forwarding)
is not applicable to many use cases (git push over ssh, using
libpam-ssh-agent-auth, etc.) indicates that
the new fixed version 1:9.3p2-1 has been uploaded in sid and trixie, however
bookworm (stable) and bullseye (oldstable) still have no security fix since 
CVE release on 2023-07-20.

(workaround by pinning fixed version from trixie is not possible, due to
significant libraries clash; and there are no Debian backports either)

-- System Information:
Debian Release: 11.7
  APT prefers oldstable-updates
  APT policy: (500, 'oldstable-updates'), (500, 'oldstable-security'), (500, 
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-23-amd64 (SMP w/1 CPU thread)
Locale: LANG=C, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

Versions of packages openssh-client depends on:
ii  adduser           3.118
ii  dpkg              1.20.12
ii  libc6             2.31-13+deb11u6
ii  libedit2          3.1-20210910-1
ii  libfido2-1        1.6.0-2
ii  libgssapi-krb5-2  1.18.3-6+deb11u3
ii  libselinux1       3.1-3
ii  libssl1.1         1.1.1n-0+deb11u5
ii  passwd            1:4.8.1-1
ii  zlib1g            1:1.2.11.dfsg-2+deb11u2

Versions of packages openssh-client recommends:
pn  xauth  <none>

Versions of packages openssh-client suggests:
pn  keychain      <none>
pn  libpam-ssh    <none>
pn  monkeysphere  <none>
pn  ssh-askpass   <none>

-- no debconf information

Reply via email to