Source: openssh Version: 1:8.4p1-6 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Control: found -1 1:8.4p1-5 Control: found -1 1:7.9p1-10+deb10u2 Control: found -1 1:7.9p1-10
Hi, The following vulnerability was published for openssh. CVE-2021-41617[0]: | sshd in OpenSSH 6.2 through 8.x before 8.8, when certain non-default | configurations are used, allows privilege escalation because | supplemental groups are not initialized as expected. Helper programs | for AuthorizedKeysCommand and AuthorizedPrincipalsCommand may run with | privileges associated with group memberships of the sshd process, if | the configuration specifies running the command as a different user. IMHO it might be enough to address this via an upcoming point release for both bullseye and buster. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-41617 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41617 [1] https://www.openwall.com/lists/oss-security/2021/09/26/1 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
