Date: Wed, 19 Jul 2023 17:04:21 GMT From: Ed Maste <emaste@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Subject: git: 66fd12cf4896 - main - ssh: Update to OpenSSH 9.3p2 Message-ID: <202307191704.36JH4Lip083569@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by emaste: URL: https://cgit.FreeBSD.org/src/commit/?id=66fd12cf4896eb08ad8e7a2627537f84ead84dd3 commit 66fd12cf4896eb08ad8e7a2627537f84ead84dd3 Merge: 37eec7f68a79 e524ba4db420 Author: Ed Maste <emaste@FreeBSD.org> AuthorDate: 2023-07-19 17:02:33 +0000 Commit: Ed Maste <emaste@FreeBSD.org> CommitDate: 2023-07-19 17:02:33 +0000 ssh: Update to OpenSSH 9.3p2 From the release notes: Changes since OpenSSH 9.3 ========================= This release fixes a security bug. Security ======== Fix CVE-2023-38408 - a condition where specific libaries loaded via ssh-agent(1)'s PKCS#11 support could be abused to achieve remote code execution via a forwarded agent socket if the following conditions are met: * Exploitation requires the presence of specific libraries on the victim system. * Remote exploitation requires that the agent was forwarded to an attacker-controlled system. Exploitation can also be prevented by starting ssh-agent(1) with an empty PKCS#11/FIDO allowlist (ssh-agent -P '') or by configuring an allowlist that contains only specific provider libraries. This vulnerability was discovered and demonstrated to be exploitable by the Qualys Security Advisory team. In addition to removing the main precondition for exploitation, this release removes the ability for remote ssh-agent(1) clients to load PKCS#11 modules by default (see below). Potentially-incompatible changes -------------------------------- * ssh-agent(8): the agent will now refuse requests to load PKCS#11 modules issued by remote clients by default. A flag has been added to restore the previous behaviour "-Oallow-remote-pkcs11". Note that ssh-agent(8) depends on the SSH client to identify requests that are remote. The OpenSSH >=8.9 ssh(1) client does this, but forwarding access to an agent socket using other tools may circumvent this restriction. CVE: CVE-2023-38408 Sponsored by: The FreeBSD Foundation crypto/openssh/ChangeLog | 1867 +--------------------------- crypto/openssh/README | 2 +- crypto/openssh/contrib/redhat/openssh.spec | 2 +- crypto/openssh/contrib/suse/openssh.spec | 2 +- crypto/openssh/ssh-agent.1 | 22 +- crypto/openssh/ssh-agent.c | 21 +- crypto/openssh/ssh-pkcs11.c | 6 +- crypto/openssh/sshd_config | 2 +- crypto/openssh/sshd_config.5 | 2 +- crypto/openssh/version.h | 4 +- 10 files changed, 82 insertions(+), 1848 deletions(-) diff --cc crypto/openssh/sshd_config index e3228f94f94a,36894ace503d..767024db5209 --- a/crypto/openssh/sshd_config +++ b/crypto/openssh/sshd_config @@@ -104,8 -100,7 +104,8 @@@ AuthorizedKeysFile .ssh/authorized_key #MaxStartups 10:30:100 #PermitTunnel no #ChrootDirectory none -#VersionAddendum none +#UseBlacklist no - #VersionAddendum FreeBSD-20230316 ++#VersionAddendum FreeBSD-20230719 # no default banner path #Banner none diff --cc crypto/openssh/sshd_config.5 index 9bd447e47863,9a1578f75e86..d960bbda5e0f --- a/crypto/openssh/sshd_config.5 +++ b/crypto/openssh/sshd_config.5 @@@ -1927,10 -1900,7 +1927,10 @@@ The default i Optionally specifies additional text to append to the SSH protocol banner sent by the server upon connection. The default is - .Qq FreeBSD-20230316 . -.Cm none . ++.Qq FreeBSD-20230719 . +The value +.Cm none +may be used to disable this. .It Cm X11DisplayOffset Specifies the first display number available for .Xr sshd 8 Ns 's diff --cc crypto/openssh/version.h index 24c778283020,000000000000..7132fd7b0780 mode 100644,000000..100644 --- a/crypto/openssh/version.h +++ b/crypto/openssh/version.h @@@ -1,8 -1,0 +1,8 @@@ +/* $OpenBSD: version.h,v 1.97 2023/03/15 21:19:57 djm Exp $ */ + +#define SSH_VERSION "OpenSSH_9.3" + - #define SSH_PORTABLE "p1" ++#define SSH_PORTABLE "p2" +#define SSH_RELEASE SSH_VERSION SSH_PORTABLE + - #define SSH_VERSION_FREEBSD "FreeBSD-20230316" ++#define SSH_VERSION_FREEBSD "FreeBSD-20230719"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202307191704.36JH4Lip083569>