Debian Package Tracker

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: <>
Subject: Accepted openssh 1:9.2p1-2+deb12u2 (source) into stable-security
Date: Fri, 22 Dec 2023 08:51:56 +0000
Signed by: Colin Watson <cjwatson@debian.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 19 Dec 2023 14:51:56 +0000
Source: openssh
Architecture: source
Version: 1:9.2p1-2+deb12u2
Distribution: bookworm-security
Urgency: medium
Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Closes: 1033166
Changes:
 openssh (1:9.2p1-2+deb12u2) bookworm-security; urgency=medium
 .
   * Cherry-pick from upstream:
     - [CVE-2023-28531] ssh-add(1): when adding smartcard keys to
       ssh-agent(1) with the per-hop destination constraints (ssh-add -h ...)
       added in OpenSSH 8.9, a logic error prevented the constraints from
       being communicated to the agent. This resulted in the keys being added
       without constraints. The common cases of non-smartcard keys and keys
       without destination constraints are unaffected. This problem was
       reported by Luci Stanescu (closes: #1033166).
     - [CVE-2023-48795] ssh(1), sshd(8): implement protocol extensions to
       thwart the so-called "Terrapin attack" discovered by Fabian Bäumer,
       Marcus Brinkmann and Jörg Schwenk. This attack allows a MITM to effect
       a limited break of the integrity of the early encrypted SSH transport
       protocol by sending extra messages prior to the commencement of
       encryption, and deleting an equal number of consecutive messages
       immediately after encryption starts. A peer SSH client/server would
       not be able to detect that messages were deleted.
     - [CVE-2023-51384] ssh-agent(1): when adding PKCS#11-hosted private keys
       while specifying destination constraints, if the PKCS#11 token
       returned multiple keys then only the first key had the constraints
       applied. Use of regular private keys, FIDO tokens and unconstrained
       keys are unaffected.
     - [CVE-2023-51385] ssh(1): if an invalid user or hostname that contained
       shell metacharacters was passed to ssh(1), and a ProxyCommand,
       LocalCommand directive or "match exec" predicate referenced the user
       or hostname via %u, %h or similar expansion token, then an attacker
       who could supply arbitrary user/hostnames to ssh(1) could potentially
       perform command injection depending on what quoting was present in the
       user-supplied ssh_config(5) directive. ssh(1) now bans most shell
       metacharacters from user and hostnames supplied via the command-line.
Checksums-Sha1:
 b8c40341353d53e043cb66eb4d78f0eb97dfddcf 3229 openssh_9.2p1-2+deb12u2.dsc
 3b172b8e971773a7018bbf3231f6589ae539ca4b 1852380 openssh_9.2p1.orig.tar.gz
 057ac5ac6e2fa0a26a105b085822a09f1a068683 833 openssh_9.2p1.orig.tar.gz.asc
 16cba66caf76b5282ca9135670ac2fce2a4abd8a 191360 openssh_9.2p1-2+deb12u2.debian.tar.xz
 29b80808914645115336d6b393efe57d2398b1f3 15881 openssh_9.2p1-2+deb12u2_source.buildinfo
Checksums-Sha256:
 147649417f149b404c20bf64717e60339ef088f1ae00589f42cd3888a680a5be 3229 openssh_9.2p1-2+deb12u2.dsc
 3f66dbf1655fb45f50e1c56da62ab01218c228807b21338d634ebcdf9d71cf46 1852380 openssh_9.2p1.orig.tar.gz
 7acc8e9502040972aeecb785fa3b6bb00c069cc01fbd7c214f8f7867033a6dbb 833 openssh_9.2p1.orig.tar.gz.asc
 c5317cfc95be66f325c88323d066320f0aa00a7970dddd9fc0916a1f17e114d4 191360 openssh_9.2p1-2+deb12u2.debian.tar.xz
 160ac354a3c803e203a45fd850b059de6c05c3319cc6715cc6bb78e57705c57a 15881 openssh_9.2p1-2+deb12u2_source.buildinfo
Files:
 f7a4e05b382ba909c0cb4b95ef80d554 3229 net standard openssh_9.2p1-2+deb12u2.dsc
 f78b2acac4bb299629a8c58ddc3fac63 1852380 net standard openssh_9.2p1.orig.tar.gz
 4b8baeab4dd1ff732a02e94c227cf788 833 net standard openssh_9.2p1.orig.tar.gz.asc
 b06d3e7e9680058bf5444cadc4ce41c5 191360 net standard openssh_9.2p1-2+deb12u2.debian.tar.xz
 73cb53b65064b4cdee862965e4767f4a 15881 net standard openssh_9.2p1-2+deb12u2_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEErApP8SYRtvzPAcEROTWH2X2GUAsFAmWBtuUACgkQOTWH2X2G
UAtXuQ/8CIbpG9D8Q9DMDz+eOSJgGS9FQ6e65em+RWej1gs5MGLYNeCunL8R7vM8
XWRjDvmkYYm6ProYJI0dotDfYjX7cYckMed2mmsZpfgo6L3uJ/Dyyo910AQmqq1U
DpSL/yCLPOktE87unXJ51fO2S4Lyfuf2CPnDvkD77rgU3DmuxXA/CYPGpadCKrVf
IL/s/vcwjvvVDDjEj67Jb8ZkWlYhkKhzRh7EmMXyzD88qib+NLqiF2SbQbMwYxmd
h1Y1j2DLKnhgYkDmDfihMyPJox8k1VAzGxdARETivaUo1Z/d/kV7Fo8XOG8KlOOP
c4az6g1XAcOR2sifEBBm5ZR3J2TzTCtEnAG9BBel6kF0yltyKdW76yNNx+UQTPSN
O5yKMQrAY/1UaJIXjaAlF/SlwmpsbD1nZ/KxG94Zjz5hKph7qODkpYX26xsmnyxJ
ksaizvih2TVU/r8sVzxiBsPUXRm6UQFqNCHk5VHwtMyXz57d+H9TbtTibu6FeIkA
FeGUVPVcQOsPuBmgDSYeKPN1CmUGOB65yrTwuEDqAcjZ/A07DhWfOhh7midSg5W7
HfQkjwIm1O9NoBKMjRmUfeSYIKtWnWMxDj8XmhdhoVXAZSgpN3ORSx20wnvAmYTb
oscwwSQptxbu72s2P8cUtHMrvIEp/iXhfIGIWoBbNvCU7DUIgoA=
=F+qp
-----END PGP SIGNATURE-----
News for package openssh
