Re:_Security_vulnerability—_action_required ：please_update_openssh_in_you_project_of_releng/14.0_ to_9.6p1_like_branch_master

In reply to: James Watt : "Security_vulnerability—_action_required：please_u pdate_openssh_in_you_project_of_releng/14.0_to_9.6p1_like_br anch_master"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Gordon Tetlow <gordon_at_tetlows.org>
Date: Thu, 05 Sep 2024 04:27:06 UTC

> On Sep 4, 2024, at 7:26 PM, James Watt <crispy.james.watt@gmail.com> wrote:
> 
> Hi,
>   we have detected that your project of release/14.0 is vulnerable to the  CVE-2023-51384 which is caused by the lower version of openssh, maybe you need to update it?
> 
> Best regards,
> James
> 

Hi James,

We (secteam) try to avoid wholesale upgrade of OpenSSH in our release branches. As such, we take a risk-based approach on what we pull into the tree. Given this particular CVE is related to ssh-agent with a specific set of circumstances (multiple PKCS#11 keys with destination constraints), we opted not to publish an update for it. Users who want to defend from this particular CVE could either use the OpenSSH from ports/pkg or directly upgrade to 14.1-RELEASE.

Lastly, given that 14.0-RELEASE is going out of support at the end of this month, this will be overcome by events pretty shortly.

On an unrelated note, your note says that “we” have detected the old version. Out of curiosity, do you represent a broader organization? Your email address being hosted on gmail.com <http://gmail.com/> makes it difficult to know.

Thanks,
Gordon
Hat: security-officer