Dear Damien,
Could you please clarify which versions are vulnerable?
On Wed, Jul 19, 2023 at 7:38?PM Damien Miller <djm at cvs.openbsd.org>
wrote:>
> OpenSSH 9.3p2 has just been released. It will be available from the
> mirrors listed at https://www.openssh.com/ shortly.
>
> OpenSSH is a 100% complete SSH protocol 2.0 implementation and
> includes sftp client and server support.
>
> Once again, we would like to thank the OpenSSH community for their
> continued support of the project, especially those who contributed
> code or patches, reported bugs, tested snapshots or donated to the
> project. More information on donations may be found at:
> https://www.openssh.com/donations.html
>
> Changes since OpenSSH 9.3
> ========================>
> This release fixes a security bug.
>
> Security
> =======>
> Fix CVE-2023-38408 - a condition where specific libaries loaded via
> ssh-agent(1)'s PKCS#11 support could be abused to achieve remote
> code execution via a forwarded agent socket if the following
> conditions are met:
>
> * Exploitation requires the presence of specific libraries on
> the victim system.
> * Remote exploitation requires that the agent was forwarded
> to an attacker-controlled system.
>
> Exploitation can also be prevented by starting ssh-agent(1) with an
> empty PKCS#11/FIDO allowlist (ssh-agent -P '') or by configuring
> an allowlist that contains only specific provider libraries.
>
> This vulnerability was discovered and demonstrated to be exploitable
> by the Qualys Security Advisory team.
>
> In addition to removing the main precondition for exploitation,
> this release removes the ability for remote ssh-agent(1) clients
> to load PKCS#11 modules by default (see below).
>
> Potentially-incompatible changes
> --------------------------------
>
> * ssh-agent(8): the agent will now refuse requests to load PKCS#11
> modules issued by remote clients by default. A flag has been added
> to restore the previous behaviour "-Oallow-remote-pkcs11".
>
> Note that ssh-agent(8) depends on the SSH client to identify
> requests that are remote. The OpenSSH >=8.9 ssh(1) client does
> this, but forwarding access to an agent socket using other tools
> may circumvent this restriction.
>
> Checksums:
> =========>
> - SHA1 (openssh-9.3p2.tar.gz) = 219cf700c317f400bb20b001c0406056f7188ea4
> - SHA256 (openssh-9.3p2.tar.gz) =
IA6+FH9ss/EB/QzfngJEKvfdyimN/9n0VoeOfMrGdug>
> Please note that the SHA256 signatures are base64 encoded and not
> hexadecimal (which is the default for most checksum tools). The PGP
> key used to sign the releases is available from the mirror sites:
> https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc
>
> Reporting Bugs:
> ==============>
> - Please read https://www.openssh.com/report.html
> Security bugs should be reported directly to openssh at openssh.com
>
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
--
Dmitry Belyavskiy