Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#1052150: bullseye-pu: package openssh/1:8.4p1-5+deb11u2
15 views
Skip to first unread message
Colin Watson
Sep 18, 2023, 4:10:05 AM9/18/23
to
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.d...@packages.debian.org
Usertags: pu
X-Debbugs-Cc: ope...@packages.debian.org
Control: affects -1 + src:openssh
[ Reason ]
https://bugs.debian.org/1042460 is a security issue affecting bullseye.
The security team doesn't think it warrants a DSA, but thinks it's worth
fixing in a point release. I agree.
[ Impact ]
Forwarding an SSH agent to a remote system may be exploitable by
administrators of that remote system in complicated conditions. See
https://www.qualys.com/2023/07/19/cve-2023-38408/rce-openssh-forwarded-ssh-agent.txt.
[ Tests ]
I have tested this manually as far as I'm able to do so. Essentially,
this shuts down the exploit at the first hurdle by refusing to load
objects that don't appear to be valid FIDO/PKCS#11 modules intended for
use by ssh-agent.
[ Risks ]
The code isn't quite trivial, but it's fairly straightforward once you
understand what it's doing.
The second upstream patch in the series wasn't in OpenSSH 9.3p2 (the
initial upstream release addressing this vulnerability), but I think
it's worth taking anyway because it shuts down a range of clever attacks
along these same lines without introducing an unreasonable amount of
extra complexity. Ubuntu did the same thing in their security updates
for this.
I wasn't able to backport the other part of upstream's fix for this
(disallowing remote addition of FIDO/PKCS#11 keys by default), because
that relies on the mechanism in
https://www.openssh.com/agent-restrict.html and bullseye doesn't have
that.
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
See attached debdiff.
Thanks,
--
Colin Watson (he/him) [cjwa...@debian.org]
Severity: normal
Tags: bullseye
User: release.d...@packages.debian.org
Usertags: pu
X-Debbugs-Cc: ope...@packages.debian.org
Control: affects -1 + src:openssh
[ Reason ]
https://bugs.debian.org/1042460 is a security issue affecting bullseye.
The security team doesn't think it warrants a DSA, but thinks it's worth
fixing in a point release. I agree.
[ Impact ]
Forwarding an SSH agent to a remote system may be exploitable by
administrators of that remote system in complicated conditions. See
https://www.qualys.com/2023/07/19/cve-2023-38408/rce-openssh-forwarded-ssh-agent.txt.
[ Tests ]
I have tested this manually as far as I'm able to do so. Essentially,
this shuts down the exploit at the first hurdle by refusing to load
objects that don't appear to be valid FIDO/PKCS#11 modules intended for
use by ssh-agent.
[ Risks ]
The code isn't quite trivial, but it's fairly straightforward once you
understand what it's doing.
The second upstream patch in the series wasn't in OpenSSH 9.3p2 (the
initial upstream release addressing this vulnerability), but I think
it's worth taking anyway because it shuts down a range of clever attacks
along these same lines without introducing an unreasonable amount of
extra complexity. Ubuntu did the same thing in their security updates
for this.
I wasn't able to backport the other part of upstream's fix for this
(disallowing remote addition of FIDO/PKCS#11 keys by default), because
that relies on the mechanism in
https://www.openssh.com/agent-restrict.html and bullseye doesn't have
that.
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
See attached debdiff.
Thanks,
--
Colin Watson (he/him) [cjwa...@debian.org]
Adam D. Barratt
Sep 23, 2023, 5:10:06 PM9/23/23
to
Control: tags -1 confirmed
On Mon, 2023-09-18 at 09:03 +0100, Colin Watson wrote:
> https://bugs.debian.org/1042460 is a security issue affecting
> bullseye.
> The security team doesn't think it warrants a DSA, but thinks it's
> worth
> fixing in a point release. I agree.
>
> [ Impact ]
> Forwarding an SSH agent to a remote system may be exploitable by
> administrators of that remote system in complicated conditions. See
> https://www.qualys.com/2023/07/19/cve-2023-38408/rce-openssh-forwarded-ssh-agent.txt.
>
Please go ahead.
Regards,
Adam
On Mon, 2023-09-18 at 09:03 +0100, Colin Watson wrote:
> https://bugs.debian.org/1042460 is a security issue affecting
> bullseye.
> The security team doesn't think it warrants a DSA, but thinks it's
> worth
> fixing in a point release. I agree.
>
> [ Impact ]
> Forwarding an SSH agent to a remote system may be exploitable by
> administrators of that remote system in complicated conditions. See
> https://www.qualys.com/2023/07/19/cve-2023-38408/rce-openssh-forwarded-ssh-agent.txt.
>
Regards,
Adam
Adam D Barratt
Sep 24, 2023, 3:50:06 PM9/24/23
to
package release.debian.org
tags 1052150 = bullseye pending
thanks
Hi,
The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bullseye.
Thanks for your contribution!
Upload details
==============
Package: openssh
Version: 8.4p1-5+deb11u2
Explanation: fix remote code execution issue via a forwarded agent socket [CVE-2023-38408]
tags 1052150 = bullseye pending
thanks
Hi,
The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bullseye.
Thanks for your contribution!
Upload details
==============
Package: openssh
Version: 8.4p1-5+deb11u2
Explanation: fix remote code execution issue via a forwarded agent socket [CVE-2023-38408]
0 new messages