From nobody Thu Sep 05 04:27:06 2024 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4WzmY645xqz5Tx89 for ; Thu, 05 Sep 2024 04:27:22 +0000 (UTC) (envelope-from gordon@tetlows.org) Received: from mr85p00im-zteg06021501.me.com (mr85p00im-zteg06021501.me.com [17.58.23.183]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4WzmY55r7Mz50qQ for ; Thu, 5 Sep 2024 04:27:21 +0000 (UTC) (envelope-from gordon@tetlows.org) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=tetlows.org header.s=sig1 header.b=FrL4QCIc; dmarc=pass (policy=quarantine) header.from=tetlows.org; spf=pass (mx1.freebsd.org: domain of gordon@tetlows.org designates 17.58.23.183 as permitted sender) smtp.mailfrom=gordon@tetlows.org DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tetlows.org; s=sig1; t=1725510439; bh=nmMGgLKeP+gE1PoZLgrJbI1oNKe9mTxJp2+yxlx+hmo=; h=From:Message-Id:Content-Type:Mime-Version:Subject:Date:To; b=FrL4QCIcV/MbW4SzDjJOyMZoEAmrPcP/kD01nwD6oFr/Yz/3Vq9TkNClAspm/CVW1 OU1AjMuzJmgrDzAeDYcG0KrLpv70ml1R0SREa+olRA1iXVX9ZNYbq1AdCRkdGUVfzB XId4yb1P3B3946DxNM3DyJ32Vk+bBthCqoTsFfLyp3bSABJ7q1wtAzT17lHaxojvbK lFDooYXreY1BCDqypl0xPq2WlNQJIK0VVtYSZSZtDZnqGRsw34Qz/ge2wOY2aBvTBk xV0sZD0+HVu6K+viRh9YEtQjMpQf4xKaTlofacK3BpecynZHpZ2ZCOGdOULPFJ7h+4 XOCL960KdaSZQ== Received: from smtpclient.apple (mr38p00im-dlb-asmtp-mailmevip.me.com [17.57.152.18]) by mr85p00im-zteg06021501.me.com (Postfix) with ESMTPSA id C8B4C2793CE0; Thu, 5 Sep 2024 04:27:18 +0000 (UTC) From: Gordon Tetlow Message-Id: <0FBD4AF8-D3E6-41F6-8B3B-32B0B56005E5@tetlows.org> Content-Type: multipart/signed; boundary="Apple-Mail=_ED78297A-5A96-4197-8B9A-7D8925FF794F"; protocol="application/pgp-signature"; micalg=pgp-sha512 List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3776.700.51\)) Subject: =?utf-8?Q?Re=3A_Security_vulnerability=E2=80=94_action_required?= =?utf-8?Q?=EF=BC=9Aplease_update_openssh_in_you_project_of_releng/14=2E0_?= =?utf-8?Q?to_9=2E6p1_like_branch_master?= Date: Wed, 4 Sep 2024 21:27:06 -0700 In-Reply-To: Cc: freebsd-security@freebsd.org To: James Watt References: X-Mailer: Apple Mail (2.3776.700.51) X-Proofpoint-ORIG-GUID: HR_agvKWLCWaK7--BNHkBpTF_1IY6aGl X-Proofpoint-GUID: HR_agvKWLCWaK7--BNHkBpTF_1IY6aGl X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.272,Aquarius:18.0.1039,Hydra:6.0.680,FMLib:17.12.60.29 definitions=2024-09-05_03,2024-09-04_01,2024-09-02_01 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxlogscore=999 suspectscore=0 malwarescore=0 phishscore=0 mlxscore=0 spamscore=0 bulkscore=0 clxscore=1030 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.19.0-2308100000 definitions=main-2409050030 X-Spamd-Bar: ------ X-Spamd-Result: default: False [-6.03 / 15.00]; SIGNED_PGP(-2.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.93)[-0.930]; DMARC_POLICY_ALLOW(-0.50)[tetlows.org,quarantine]; R_DKIM_ALLOW(-0.20)[tetlows.org:s=sig1]; R_SPF_ALLOW(-0.20)[+ip4:17.58.0.0/16]; MIME_GOOD(-0.20)[multipart/signed,multipart/alternative,text/plain]; RCVD_IN_DNSWL_LOW(-0.10)[17.58.23.183:from]; ONCE_RECEIVED(0.10)[]; HAS_ATTACHMENT(0.00)[]; ARC_NA(0.00)[]; FREEMAIL_TO(0.00)[gmail.com]; DKIM_TRACE(0.00)[tetlows.org:+]; RCPT_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[]; FROM_HAS_DN(0.00)[]; ASN(0.00)[asn:714, ipnet:17.58.16.0/20, country:US]; FREEFALL_USER(0.00)[gordon]; MLMMJ_DEST(0.00)[freebsd-security@freebsd.org]; MID_RHS_MATCH_FROM(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; RCVD_COUNT_ONE(0.00)[1]; APPLE_MAILER_COMMON(0.00)[]; RWL_MAILSPIKE_POSSIBLE(0.00)[17.58.23.183:from]; TAGGED_RCPT(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:+,3:~,4:~]; RCVD_VIA_SMTP_AUTH(0.00)[]; TO_DN_SOME(0.00)[] X-Rspamd-Queue-Id: 4WzmY55r7Mz50qQ --Apple-Mail=_ED78297A-5A96-4197-8B9A-7D8925FF794F Content-Type: multipart/alternative; boundary="Apple-Mail=_D7581936-181D-4031-B703-2781A07F8ACA" --Apple-Mail=_D7581936-181D-4031-B703-2781A07F8ACA Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 > On Sep 4, 2024, at 7:26=E2=80=AFPM, James Watt = wrote: >=20 > Hi, > we have detected that your project of release/14.0 is vulnerable to = the CVE-2023-51384 which is caused by the lower version of openssh, = maybe you need to update it? >=20 > Best regards, > James >=20 Hi James, We (secteam) try to avoid wholesale upgrade of OpenSSH in our release = branches. As such, we take a risk-based approach on what we pull into = the tree. Given this particular CVE is related to ssh-agent with a = specific set of circumstances (multiple PKCS#11 keys with destination = constraints), we opted not to publish an update for it. Users who want = to defend from this particular CVE could either use the OpenSSH from = ports/pkg or directly upgrade to 14.1-RELEASE. Lastly, given that 14.0-RELEASE is going out of support at the end of = this month, this will be overcome by events pretty shortly. On an unrelated note, your note says that =E2=80=9Cwe=E2=80=9D have = detected the old version. Out of curiosity, do you represent a broader = organization? Your email address being hosted on gmail.com = makes it difficult to know. Thanks, Gordon Hat: security-officer --Apple-Mail=_D7581936-181D-4031-B703-2781A07F8ACA Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8

On Sep = 4, 2024, at 7:26=E2=80=AFPM, James Watt = <crispy.james.watt@gmail.com> wrote:

Hi,
  = we have detected that your project of release/14.0 is vulnerable to = the  CVE-2023-51384 which is caused by the lower version of openssh, maybe = you need to update it?

Best = regards,
James
3D""

Hi James,

We = (secteam) try to avoid wholesale upgrade of OpenSSH in our release = branches. As such, we take a risk-based approach on what we pull into = the tree. Given this particular CVE is related to ssh-agent with a = specific set of circumstances (multiple PKCS#11 keys with destination = constraints), we opted not to publish an update for it. Users who want = to defend from this particular CVE could either use the OpenSSH from = ports/pkg or directly upgrade to = 14.1-RELEASE.

Lastly, given that 14.0-RELEASE = is going out of support at the end of this month, this will be overcome = by events pretty shortly.

On an unrelated note, = your note says that =E2=80=9Cwe=E2=80=9D have detected the old version. = Out of curiosity, do you represent a broader organization? Your email = address being hosted on gmail.com makes it difficult to = know.

Thanks,
Gordon
Hat: = security-officer
= --Apple-Mail=_D7581936-181D-4031-B703-2781A07F8ACA-- --Apple-Mail=_ED78297A-5A96-4197-8B9A-7D8925FF794F Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEuyjUCzYO7pNq7RVv5fe8y6O93fgFAmbZMxoACgkQ5fe8y6O9 3fjhggf/VMLfW1OiUznWHaDcTCkFiVn/1Xb8K1Dct1O8RQR+9V/keTzLV6/eR78y +0MfI4PXflPttNxRykqbN+RBXgdjyNfrZaJNTDRq+QhzjtoQAeoOXDZfnc6wI45I V+0jUDu69M2FBOQ377loG7gWotrOL3uKNmNyqEnG5qx7lEH/Sm1t8+fO5DVCD2wH U6Jl7baQeX5ESiuq+t3flEohwfdgDrZoJJds3D8wmRAToyF+cBgUSNpN1qfeSekv 6yJjH6DcQlO8y3WNLMuSyl4052ohNts5u/cxJIet8WZ8vaw/+sfxXzf6FpYudl+4 wH3hgPz7mFwtXl3UDRIitLs1Q1ksZA== =ofLF -----END PGP SIGNATURE----- --Apple-Mail=_ED78297A-5A96-4197-8B9A-7D8925FF794F--