DLA-3694-1 for opensshDLA-3694-1

2 files changed, 67 insertions, 0 deletions

diff --git a/english/lts/security/2023/dla-3694.data b/english/lts/security/2023/dla-3694.data
new file mode 100644
index 00000000000..04caa6ff089
--- /dev/null
+++ b/english/lts/security/2023/dla-3694.data
@@ -0,0 +1,10 @@
+<define-tag pagetitle>DLA-3694-1 openssh</define-tag>
+<define-tag report_date>2023-12-25</define-tag>
+<define-tag secrefs>CVE-2021-41617 CVE-2023-48795 CVE-2023-51385 Bug#995130</define-tag>
+<define-tag packages>openssh</define-tag>
+<define-tag isvulnerable>yes</define-tag>
+<define-tag fixed>yes</define-tag>
+<define-tag fixed-section>no</define-tag>
+
+#use wml::debian::security
+
diff --git a/english/lts/security/2023/dla-3694.wml b/english/lts/security/2023/dla-3694.wml
new file mode 100644
index 00000000000..e1009b354f3
--- /dev/null
+++ b/english/lts/security/2023/dla-3694.wml
@@ -0,0 +1,57 @@
+<define-tag description>LTS security update</define-tag>
+<define-tag moreinfo>
+<p>Several vulnerabilities have been discovered in OpenSSH, an implementation of
+the SSH protocol suite.</p>
+
+<ul>
+
+<li><a href="https://security-tracker.debian.org/tracker/CVE-2021-41617">CVE-2021-41617</a>
+
+    <p>It was discovered that sshd failed to correctly initialise supplemental
+    groups when executing an AuthorizedKeysCommand or
+    AuthorizedPrincipalsCommand, where a AuthorizedKeysCommandUser or
+    AuthorizedPrincipalsCommandUser directive has been set to run the command
+    as a different user. Instead these commands would inherit the groups that
+    sshd was started with.</p></li>
+
+<li><a href="https://security-tracker.debian.org/tracker/CVE-2023-48795">CVE-2023-48795</a>
+
+    <p>Fabian Baeumer, Marcus Brinkmann and Joerg Schwenk discovered that the SSH
+    protocol is prone to a prefix truncation attack, known as the <q>Terrapin
+    attack</q>. This attack allows a MITM attacker to effect a limited break of the
+    integrity of the early encrypted SSH transport protocol by sending extra
+    messages prior to the commencement of encryption, and deleting an equal
+    number of consecutive messages immediately after encryption starts.</p>
+
+    <p>Details can be found at <a href="https://terrapin-attack.com/">https://terrapin-attack.com/</a></p></li>
+
+<li><a href="https://security-tracker.debian.org/tracker/CVE-2023-51385">CVE-2023-51385</a>
+
+    <p>It was discovered that if an invalid user or hostname that contained shell
+    metacharacters was passed to ssh, and a ProxyCommand, LocalCommand
+    directive or <q>match exec</q> predicate referenced the user or hostname via
+    expansion tokens, then an attacker who could supply arbitrary
+    user/hostnames to ssh could potentially perform command injection. The
+    situation could arise in case of git repositories with submodules, where the
+    repository could contain a submodule with shell characters in its user or
+    hostname.</p></li>
+
+</ul>
+
+<p>For Debian 10 buster, these problems have been fixed in version
+1:7.9p1-10+deb10u4.</p>
+
+<p>We recommend that you upgrade your openssh packages.</p>
+
+<p>For the detailed security status of openssh please refer to
+its security tracker page at:
+<a href="https://security-tracker.debian.org/tracker/openssh">https://security-tracker.debian.org/tracker/openssh</a></p>
+
+<p>Further information about Debian LTS security advisories, how to apply
+these updates to your system and frequently asked questions can be
+found at: <a href="https://wiki.debian.org/LTS">https://wiki.debian.org/LTS</a></p>
+</define-tag>
+
+# do not modify the following line
+#include "$(ENGLISHDIR)/lts/security/2023/dla-3694.data"
+# $Id: $