Date: Wed, 4 Sep 2024 21:27:06 -0700 From: Gordon Tetlow <gordon@tetlows.org> To: James Watt <crispy.james.watt@gmail.com> Cc: freebsd-security@freebsd.org Subject: =?utf-8?Q?Re=3A_Security_vulnerability=E2=80=94_action_required?= =?utf-8?Q?=EF=BC=9Aplease_update_openssh_in_you_project_of_releng/14=2E0_?= =?utf-8?Q?to_9=2E6p1_like_branch_master?= Message-ID: <0FBD4AF8-D3E6-41F6-8B3B-32B0B56005E5@tetlows.org> In-Reply-To: <CADUHo-WDZ24aZ=EvvEEeXkyea3tBUgPQnxsPVc-Zocn=L-jE=w@mail.gmail.com> References: <CADUHo-WDZ24aZ=EvvEEeXkyea3tBUgPQnxsPVc-Zocn=L-jE=w@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--Apple-Mail=_ED78297A-5A96-4197-8B9A-7D8925FF794F Content-Type: multipart/alternative; boundary="Apple-Mail=_D7581936-181D-4031-B703-2781A07F8ACA" --Apple-Mail=_D7581936-181D-4031-B703-2781A07F8ACA Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 > On Sep 4, 2024, at 7:26=E2=80=AFPM, James Watt = <crispy.james.watt@gmail.com> wrote: >=20 > Hi, > we have detected that your project of release/14.0 is vulnerable to = the CVE-2023-51384 which is caused by the lower version of openssh, = maybe you need to update it? >=20 > Best regards, > James >=20 Hi James, We (secteam) try to avoid wholesale upgrade of OpenSSH in our release = branches. As such, we take a risk-based approach on what we pull into = the tree. Given this particular CVE is related to ssh-agent with a = specific set of circumstances (multiple PKCS#11 keys with destination = constraints), we opted not to publish an update for it. Users who want = to defend from this particular CVE could either use the OpenSSH from = ports/pkg or directly upgrade to 14.1-RELEASE. Lastly, given that 14.0-RELEASE is going out of support at the end of = this month, this will be overcome by events pretty shortly. On an unrelated note, your note says that =E2=80=9Cwe=E2=80=9D have = detected the old version. Out of curiosity, do you represent a broader = organization? Your email address being hosted on gmail.com = <http://gmail.com/>; makes it difficult to know. Thanks, Gordon Hat: security-officer --Apple-Mail=_D7581936-181D-4031-B703-2781A07F8ACA Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8 <html><head><meta http-equiv=3D"content-type" content=3D"text/html; = charset=3Dutf-8"></head><body style=3D"overflow-wrap: break-word; = -webkit-nbsp-mode: space; line-break: = after-white-space;"><div><div><br><blockquote type=3D"cite"><div>On Sep = 4, 2024, at 7:26=E2=80=AFPM, James Watt = <crispy.james.watt@gmail.com> wrote:</div><br = class=3D"Apple-interchange-newline"><div><div dir=3D"ltr">Hi,<div> = we have detected that your project of release/14.0 is vulnerable to = the CVE-2023-51384 which is caused by the lower version of openssh, maybe = you need to update it?</div><div><br></div><div>Best = regards,</div><div>James</div><img width=3D"0" height=3D"0" = class=3D"mailtrack-img" alt=3D"" style=3D"display:flex" = src=3D"https://mailtrack.io/trace/mail/17577c024719c3a6557988dc6c6bc991135= d1d7b.png?u=3D8536293"></div> </div></blockquote></div><br></div><div>Hi James,<div><br></div><div>We = (secteam) try to avoid wholesale upgrade of OpenSSH in our release = branches. As such, we take a risk-based approach on what we pull into = the tree. Given this particular CVE is related to ssh-agent with a = specific set of circumstances (multiple PKCS#11 keys with destination = constraints), we opted not to publish an update for it. Users who want = to defend from this particular CVE could either use the OpenSSH from = ports/pkg or directly upgrade to = 14.1-RELEASE.</div><div><br></div><div>Lastly, given that 14.0-RELEASE = is going out of support at the end of this month, this will be overcome = by events pretty shortly.</div><div><br></div><div>On an unrelated note, = your note says that =E2=80=9Cwe=E2=80=9D have detected the old version. = Out of curiosity, do you represent a broader organization? Your email = address being hosted on <a = href=3D"http://gmail.com">gmail.com</a> makes it difficult to = know.</div><div><br></div><div>Thanks,</div><div>Gordon</div><div>Hat: = security-officer</div><div></div></div></body></html>= --Apple-Mail=_D7581936-181D-4031-B703-2781A07F8ACA-- --Apple-Mail=_ED78297A-5A96-4197-8B9A-7D8925FF794F Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEuyjUCzYO7pNq7RVv5fe8y6O93fgFAmbZMxoACgkQ5fe8y6O9 3fjhggf/VMLfW1OiUznWHaDcTCkFiVn/1Xb8K1Dct1O8RQR+9V/keTzLV6/eR78y +0MfI4PXflPttNxRykqbN+RBXgdjyNfrZaJNTDRq+QhzjtoQAeoOXDZfnc6wI45I V+0jUDu69M2FBOQ377loG7gWotrOL3uKNmNyqEnG5qx7lEH/Sm1t8+fO5DVCD2wH U6Jl7baQeX5ESiuq+t3flEohwfdgDrZoJJds3D8wmRAToyF+cBgUSNpN1qfeSekv 6yJjH6DcQlO8y3WNLMuSyl4052ohNts5u/cxJIet8WZ8vaw/+sfxXzf6FpYudl+4 wH3hgPz7mFwtXl3UDRIitLs1Q1ksZA== =ofLF -----END PGP SIGNATURE----- --Apple-Mail=_ED78297A-5A96-4197-8B9A-7D8925FF794F--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?0FBD4AF8-D3E6-41F6-8B3B-32B0B56005E5>