update: openssh (part 2 of v9.6) #1310

dongsupark · 2024-01-09T14:21:06Z

Name: openssh
CVEs: CVE-2023-51384, CVE-2023-51385
CVSSs: 5.5, 6.5
Action Needed: update to >= 9.6

Summary:

CVE-2023-51384: In ssh-agent in OpenSSH before 9.6, certain destination constraints can be incompletely applied. When destination constraints are specified during addition of PKCS#11-hosted private keys, these constraints are only applied to the first key, even if a PKCS#11 token returns multiple keys.
CVE-2023-51385: In ssh in OpenSSH before 9.6, OS command injection might occur if a user name or host name has shell metacharacters, and this name is referenced by an expansion token in certain situations. For example, an untrusted Git repository can have a submodule with shell metacharacters in a user name or host name.

Note: the openssh 9.6 PR was already merged, but it did not have the 2 CVEs. We just need to add the missing CVEs.

refmap.gentoo: https://bugs.gentoo.org/920722

dongsupark added security security concerns advisory security advisory cvss/MEDIUM >= 4 && < 7 assessed CVSS labels Jan 9, 2024

dongsupark added this to Flatcar tactical, release planning, and roadmap Jan 9, 2024

github-project-automation bot moved this to 📝 Needs Triage in Flatcar tactical, release planning, and roadmap Jan 9, 2024

dongsupark removed this from Flatcar tactical, release planning, and roadmap Jan 9, 2024

krnowak mentioned this issue Jan 11, 2024

Changelog and accept keywords fixes flatcar/scripts#1566

Merged

krnowak closed this as completed in flatcar/scripts#1566 Jan 12, 2024

github-actions bot mentioned this issue Jan 22, 2024

Monthly contributions report 2023-12-22 - 2024-01-21 #1327

Closed

Provide feedback