[SECURITY] [DSA 5586-1] openssh security update

2 files changed, 86 insertions, 0 deletions

diff --git a/english/security/2023/dsa-5586.data b/english/security/2023/dsa-5586.data
new file mode 100644
index 00000000000..c8bb36659e7
--- /dev/null
+++ b/english/security/2023/dsa-5586.data
@@ -0,0 +1,13 @@
+<define-tag pagetitle>DSA-5586-1 openssh</define-tag>
+<define-tag report_date>2023-12-22</define-tag>
+<define-tag secrefs>CVE-2021-41617 CVE-2023-28531 CVE-2023-48795 CVE-2023-51384 CVE-2023-51385 Bug#995130 Bug#1033166</define-tag>
+<define-tag packages>openssh</define-tag>
+<define-tag isvulnerable>yes</define-tag>
+<define-tag fixed>yes</define-tag>
+<define-tag fixed-section>no</define-tag>
+
+#use wml::debian::security
+
+
+
+</dl>
diff --git a/english/security/2023/dsa-5586.wml b/english/security/2023/dsa-5586.wml
new file mode 100644
index 00000000000..cbe665f1422
--- /dev/null
+++ b/english/security/2023/dsa-5586.wml
@@ -0,0 +1,73 @@
+<define-tag description>security update</define-tag>
+<define-tag moreinfo>
+<p>Several vulnerabilities have been discovered in OpenSSH, an
+implementation of the SSH protocol suite.</p>
+
+<ul>
+
+<li><a href="https://security-tracker.debian.org/tracker/CVE-2021-41617">CVE-2021-41617</a>
+
+    <p>It was discovered that sshd failed to correctly initialise
+    supplemental groups when executing an AuthorizedKeysCommand or
+    AuthorizedPrincipalsCommand, where a AuthorizedKeysCommandUser or
+    AuthorizedPrincipalsCommandUser directive has been set to run the
+    command as a different user. Instead these commands would inherit
+    the groups that sshd was started with.</p></li>
+
+<li><a href="https://security-tracker.debian.org/tracker/CVE-2023-28531">CVE-2023-28531</a>
+
+    <p>Luci Stanescu reported that a error prevented constraints being
+    communicated to the ssh-agent when adding smartcard keys to the
+    agent with per-hop destination constraints, resulting in keys being
+    added without constraints.</p></li>
+
+<li><a href="https://security-tracker.debian.org/tracker/CVE-2023-48795">CVE-2023-48795</a>
+
+    <p>Fabian Baeumer, Marcus Brinkmann and Joerg Schwenk discovered that
+    the SSH protocol is prone to a prefix truncation attack, known as
+    the <q>Terrapin attack</q>. This attack allows a MITM attacker to effect
+    a limited break of the integrity of the early encrypted SSH
+    transport protocol by sending extra messages prior to the
+    commencement of encryption, and deleting an equal number of
+    consecutive messages immediately after encryption starts.</p>
+
+    <p>Details can be found at <a href="https://terrapin-attack.com/">\
+    https://terrapin-attack.com/</a></p></li>
+
+<li><a href="https://security-tracker.debian.org/tracker/CVE-2023-51384">CVE-2023-51384</a>
+
+    <p>It was discovered that when PKCS#11-hosted private keys were
+    added while specifying destination constraints, if the PKCS#11
+    token returned multiple keys then only the first key had the
+    constraints applied.</p></li>
+
+<li><a href="https://security-tracker.debian.org/tracker/CVE-2023-51385">CVE-2023-51385</a>
+
+    <p>It was discovered that if an invalid user or hostname that contained
+    shell metacharacters was passed to ssh, and a ProxyCommand,
+    LocalCommand directive or <q>match exec</q> predicate referenced the user
+    or hostname via expansion tokens, then an attacker who could supply
+    arbitrary user/hostnames to ssh could potentially perform command
+    injection. The situation could arise in case of git repositories
+    with submodules, where the repository could contain a submodule with
+    shell characters in its user or hostname.</p></li>
+
+</ul>
+
+<p>For the oldstable distribution (bullseye), these problems have been fixed
+in version 1:8.4p1-5+deb11u3.</p>
+
+<p>For the stable distribution (bookworm), these problems have been fixed in
+version 1:9.2p1-2+deb12u2.</p>
+
+<p>We recommend that you upgrade your openssh packages.</p>
+
+<p>For the detailed security status of openssh please refer to its security
+tracker page at:
+<a href="https://security-tracker.debian.org/tracker/openssh">\
+https://security-tracker.debian.org/tracker/openssh</a></p>
+</define-tag>
+
+# do not modify the following line
+#include "$(ENGLISHDIR)/security/2023/dsa-5586.data"
+# $Id: $