From nobody Wed Jul 19 17:04:21 2023 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4R5hxf43YDz4nfyY; Wed, 19 Jul 2023 17:04:22 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4R5hxf1xtvz4WPB; Wed, 19 Jul 2023 17:04:22 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1689786262; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=oyX/m4lCUXXrNKCrStaIu94HU6oXiZBFgdL1B0CRNb4=; b=bw0tRZuE40sLUB167ntMSiCQ8/QEjcxX/CF30EoaKE9Mm9NG3lR1It6XUgKTzBxv1nWJrb riLZ/pmmaYsmKR19AI+a7koJR02o8hXt3CTuXoOqTo0bi5fo/MclgMqRIpLRyf8LsDQ/4A CCBUhUbYMNnmblVFNo8i0lSCEkTU5cLw0OtFj1nkm9JelPigo9wHdv+Dt3qcZtjs1K9TjQ WNANzMLPju4yeQJWjBe0UaIiC+n9denUyKn9Ij3rU7ZvtWZYG3ljsZzq0FBWY190S9VLXy 4PypsoqcDhDQXU619mpfyIq7RGXGotynCaDvL1C3LRhZTq25daAuBOkd/8k4XA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1689786262; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=oyX/m4lCUXXrNKCrStaIu94HU6oXiZBFgdL1B0CRNb4=; b=LvEHzpxFFCY2UIO5Gyn0Jrvugtrct3Qj1VenXeE60YX7gfCAqjpeRw4PxRwumd+i9FxHaj yBC13rk7oi5AXS6V0Q64PmNqK0CTQaOnafTofv0I0Lqfjok3RhcWEldTH5eLWXjd8Mjz1c hkXY3bvGqsinplEZfZMwBraOhfvJzNVrcjyqXa9o6W1bOlu1zVQWrbAWhNFZXEtE6jk+Hs DxJMxjzN2DqsWDjGYhcJucpgb/tlJzNrCLt5WPwaq5cvtSzzqJfRE55UtHZrAbRXS7i+Wy kdHuY8Veqhx93whhZrkHYGs4H2tYErkjUB1nNIIXVbcsagZvepJYzP5S9u+3jw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1689786262; a=rsa-sha256; cv=none; b=tmiqx/RUEDmEi6Wx5lU2WKlKZiCxo2qbsnzqhwQ5DdxBpcBi6IeTfv/DA23NTBLBkM1Mu1 52rdpYwZowsO3nDzFGj+Mo+537EHd065clDoVcaRtqYqQ3CLQrolfbqwbqZiipe7Z2/psI fI+8iblwrEPpMOpsqIS/zDPW9BaqQO2k8jqVy7719gcZdhC53BEjMbkGXBFKvoeDAlvwP5 m4Xo5qJF5kKFQcHalBBAN5BYvBQYVGCJ7P+dbu1DQPVg5MOq3hORbkb5RtIxteCZ1KwaOD 40vTq7owv3MpkbYTwt9jYKjIAo/u1lx05CnMsslxybGzAFO08NXgRGUZu/GOYA== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4R5hxf12D0zwm2; Wed, 19 Jul 2023 17:04:22 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 36JH4MLX083570; Wed, 19 Jul 2023 17:04:22 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 36JH4Lip083569; Wed, 19 Jul 2023 17:04:21 GMT (envelope-from git) Date: Wed, 19 Jul 2023 17:04:21 GMT Message-Id: <202307191704.36JH4Lip083569@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Ed Maste Subject: git: 66fd12cf4896 - main - ssh: Update to OpenSSH 9.3p2 List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-main@freebsd.org X-BeenThere: dev-commits-src-main@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: emaste X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 66fd12cf4896eb08ad8e7a2627537f84ead84dd3 Auto-Submitted: auto-generated The branch main has been updated by emaste: URL: https://cgit.FreeBSD.org/src/commit/?id=66fd12cf4896eb08ad8e7a2627537f84ead84dd3 commit 66fd12cf4896eb08ad8e7a2627537f84ead84dd3 Merge: 37eec7f68a79 e524ba4db420 Author: Ed Maste AuthorDate: 2023-07-19 17:02:33 +0000 Commit: Ed Maste CommitDate: 2023-07-19 17:02:33 +0000 ssh: Update to OpenSSH 9.3p2 From the release notes: Changes since OpenSSH 9.3 ========================= This release fixes a security bug. Security ======== Fix CVE-2023-38408 - a condition where specific libaries loaded via ssh-agent(1)'s PKCS#11 support could be abused to achieve remote code execution via a forwarded agent socket if the following conditions are met: * Exploitation requires the presence of specific libraries on the victim system. * Remote exploitation requires that the agent was forwarded to an attacker-controlled system. Exploitation can also be prevented by starting ssh-agent(1) with an empty PKCS#11/FIDO allowlist (ssh-agent -P '') or by configuring an allowlist that contains only specific provider libraries. This vulnerability was discovered and demonstrated to be exploitable by the Qualys Security Advisory team. In addition to removing the main precondition for exploitation, this release removes the ability for remote ssh-agent(1) clients to load PKCS#11 modules by default (see below). Potentially-incompatible changes -------------------------------- * ssh-agent(8): the agent will now refuse requests to load PKCS#11 modules issued by remote clients by default. A flag has been added to restore the previous behaviour "-Oallow-remote-pkcs11". Note that ssh-agent(8) depends on the SSH client to identify requests that are remote. The OpenSSH >=8.9 ssh(1) client does this, but forwarding access to an agent socket using other tools may circumvent this restriction. CVE: CVE-2023-38408 Sponsored by: The FreeBSD Foundation crypto/openssh/ChangeLog | 1867 +--------------------------- crypto/openssh/README | 2 +- crypto/openssh/contrib/redhat/openssh.spec | 2 +- crypto/openssh/contrib/suse/openssh.spec | 2 +- crypto/openssh/ssh-agent.1 | 22 +- crypto/openssh/ssh-agent.c | 21 +- crypto/openssh/ssh-pkcs11.c | 6 +- crypto/openssh/sshd_config | 2 +- crypto/openssh/sshd_config.5 | 2 +- crypto/openssh/version.h | 4 +- 10 files changed, 82 insertions(+), 1848 deletions(-) diff --cc crypto/openssh/sshd_config index e3228f94f94a,36894ace503d..767024db5209 --- a/crypto/openssh/sshd_config +++ b/crypto/openssh/sshd_config @@@ -104,8 -100,7 +104,8 @@@ AuthorizedKeysFile .ssh/authorized_key #MaxStartups 10:30:100 #PermitTunnel no #ChrootDirectory none -#VersionAddendum none +#UseBlacklist no - #VersionAddendum FreeBSD-20230316 ++#VersionAddendum FreeBSD-20230719 # no default banner path #Banner none diff --cc crypto/openssh/sshd_config.5 index 9bd447e47863,9a1578f75e86..d960bbda5e0f --- a/crypto/openssh/sshd_config.5 +++ b/crypto/openssh/sshd_config.5 @@@ -1927,10 -1900,7 +1927,10 @@@ The default i Optionally specifies additional text to append to the SSH protocol banner sent by the server upon connection. The default is - .Qq FreeBSD-20230316 . -.Cm none . ++.Qq FreeBSD-20230719 . +The value +.Cm none +may be used to disable this. .It Cm X11DisplayOffset Specifies the first display number available for .Xr sshd 8 Ns 's diff --cc crypto/openssh/version.h index 24c778283020,000000000000..7132fd7b0780 mode 100644,000000..100644 --- a/crypto/openssh/version.h +++ b/crypto/openssh/version.h @@@ -1,8 -1,0 +1,8 @@@ +/* $OpenBSD: version.h,v 1.97 2023/03/15 21:19:57 djm Exp $ */ + +#define SSH_VERSION "OpenSSH_9.3" + - #define SSH_PORTABLE "p1" ++#define SSH_PORTABLE "p2" +#define SSH_RELEASE SSH_VERSION SSH_PORTABLE + - #define SSH_VERSION_FREEBSD "FreeBSD-20230316" ++#define SSH_VERSION_FREEBSD "FreeBSD-20230719"