-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Thu, 21 Dec 2023 16:09:44 +0000 Source: openssh Architecture: source Version: 1:8.4p1-5+deb11u3 Distribution: bullseye-security Urgency: medium Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org> Changed-By: Colin Watson <cjwatson@debian.org> Closes: 995130 Changes: openssh (1:8.4p1-5+deb11u3) bullseye-security; urgency=medium . * Cherry-pick from upstream: - [CVE-2021-41617]: sshd(8) from OpenSSH 6.2 through 8.7 failed to correctly initialise supplemental groups when executing an AuthorizedKeysCommand or AuthorizedPrincipalsCommand, where a AuthorizedKeysCommandUser or AuthorizedPrincipalsCommandUser directive has been set to run the command as a different user. Instead these commands would inherit the groups that sshd(8) was started with (closes: #995130). - [CVE-2023-48795] ssh(1), sshd(8): implement protocol extensions to thwart the so-called "Terrapin attack" discovered by Fabian Bäumer, Marcus Brinkmann and Jörg Schwenk. This attack allows a MITM to effect a limited break of the integrity of the early encrypted SSH transport protocol by sending extra messages prior to the commencement of encryption, and deleting an equal number of consecutive messages immediately after encryption starts. A peer SSH client/server would not be able to detect that messages were deleted. - [CVE-2023-51385] ssh(1): if an invalid user or hostname that contained shell metacharacters was passed to ssh(1), and a ProxyCommand, LocalCommand directive or "match exec" predicate referenced the user or hostname via %u, %h or similar expansion token, then an attacker who could supply arbitrary user/hostnames to ssh(1) could potentially perform command injection depending on what quoting was present in the user-supplied ssh_config(5) directive. ssh(1) now bans most shell metacharacters from user and hostnames supplied via the command-line. Checksums-Sha1: 3bbca3973f5db9442eb8ed2cdb141fcfc122d699 3270 openssh_8.4p1-5+deb11u3.dsc 69305059e10a60693ebe6f17731f962c9577535c 1742201 openssh_8.4p1.orig.tar.gz 323573568682eac265e1f69206bc98149a8e423e 683 openssh_8.4p1.orig.tar.gz.asc d38cba955daa0185b9f6a0cb7152591de23f2ff6 186600 openssh_8.4p1-5+deb11u3.debian.tar.xz 6164e0a2a6bdac3e2bbc933849368e15e5a3bbf1 15881 openssh_8.4p1-5+deb11u3_source.buildinfo Checksums-Sha256: 0f800a412ac707c735afd90b5529511c5c1629b6aef342d824b2f66250565459 3270 openssh_8.4p1-5+deb11u3.dsc 5a01d22e407eb1c05ba8a8f7c654d388a13e9f226e4ed33bd38748dafa1d2b24 1742201 openssh_8.4p1.orig.tar.gz ccd9dd484651ce4cc926228f6e1b46afaf0c5ab98a866217fa0ef1074370ea2b 683 openssh_8.4p1.orig.tar.gz.asc f460cc974def7a03753f6d3e5248265aa01deca7e2ba5e29979677487e89cd41 186600 openssh_8.4p1-5+deb11u3.debian.tar.xz 340061cca4f8858e478279f729087363ac7a27df17584bfa0c626a4b29cd0737 15881 openssh_8.4p1-5+deb11u3_source.buildinfo Files: 875ac216007bb6027a814840d10c5b9c 3270 net standard openssh_8.4p1-5+deb11u3.dsc 8f897870404c088e4aa7d1c1c58b526b 1742201 net standard openssh_8.4p1.orig.tar.gz 715c219a524631139bafa8a351cf44e7 683 net standard openssh_8.4p1.orig.tar.gz.asc 90e3da465d87838658dd0182fef0ac37 186600 net standard openssh_8.4p1-5+deb11u3.debian.tar.xz c708cb4dbf3750cd26e9947a6ac46bbf 15881 net standard openssh_8.4p1-5+deb11u3_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEErApP8SYRtvzPAcEROTWH2X2GUAsFAmWEY3cACgkQOTWH2X2G UAs8oxAAnXSa+RaCXtrv0EQ2EzahvsS77KE6gfOixdMvesNcdvaxmBkBWychIdmI bHZCgcvpNiaNFoWlruiEQ3rfk5ePMuuAggWwbmQbZFLKpWoR4gnWQiw1AoVX5hvT YVB/U/zwxBP9n/4/MlY6iUtXqprZwdfpOwIPM//8RVCIV7zDwRhVg30nE3JN1AXz sUvMmKN8husaN6FxPq65W8owrOYniMPlqkaoVFQfufMzuErv6Nrulu0UQVIJaABo CgbDSqHZc1XW6EuGZvHHzWcTTFee8osSJk/EDGGFxIxxl/jqqMyZvTgSZkxh9qbR s8KiTLnA8DxD+B/6+mB3BC+ilZY0dsBW8tTLHR2uwBuFQxorGsaKlp+mJroPkXay 3CtRiyGVztYmYrGk8D90HC/+SXqcYZullGkfukQe0YtEU8Iidor7ysIuUH0jjXQV cXaNbIqvPAq2jHmSYLuH9cDvGKUKFVhq/3Y8TLVr0VjHCvQNqJiAlXkDqSuVNyHN CSQo8t8KZiuQySQqCm2vRud6sPVPTw6xWUB7lAaMc6Hyb/ydnysngTQE4wbxvZO6 WJHFZMncbej8+KbEKRZn58XxPqHaBAYPVjf54KZYX2kDHC6eTuIZih9QnvJfL6pC EzXwYVAEoUodkJ6sSNTgUNWbDNZZR1zwJ+/oInqGJmERj2f3zDA= =ywNQ -----END PGP SIGNATURE-----
