-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 - ----------------------------------------------------------------------- Debian LTS Advisory DLA-3532-1 debian-...@lists.debian.org https://www.debian.org/lts/security/ Utkarsh Gupta August 17, 2023 https://wiki.debian.org/LTS - -----------------------------------------------------------------------
Package : openssh Version : 1:7.9p1-10+deb10u3 CVE ID : CVE-2023-38408 Debian Bug : 1042460 It was discovered that OpenSSH incorrectly handled loading certain PKCS#11 providers. If a user forwarded their ssh-agent to an untrusted system, a remote attacker could possibly use this issue to load arbitrary libraries from the user’s system and execute arbitrary code. In addition to the above security issue, this update also fixed another bug - bad interaction between the ssh_config ConnectTimeout and ConnectionAttempts directives - connection attempts after the first attempt were ignoring the requested timeout. More details about this can be found at https://bugzilla.mindrot.org/show_bug.cgi?id=2918. For Debian 10 buster, this problem has been fixed in version 1:7.9p1-10+deb10u3. We recommend that you upgrade your openssh packages. For the detailed security status of openssh please refer to its security tracker page at: https://security-tracker.debian.org/tracker/openssh Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAmTddPsACgkQgj6WdgbD S5aQzA//cTI4qu9QQLW4AqLRp2eGmR0DFdUAO72N5KUujjrg/sZTN0wg8983TLCP xM6pU0x5m3Lfn/jvrdpgugIK+tuePsdhPV6fjX0p/pnrh6sxbT8R6j+o3uCWhK8a y1viURtHY4X+eiIzn2ph24QaGDnPZIe54XWXwj272bmVlf9KdAMyoF23uu5Un14Z 2vH7YPJuEMVbKclRK1pNIVv0Oq/4CqvzgdWcshnmLkE4V4krxDhvFiu1htDoxDEb goSjmjN9VZ7d8c++S6COcvJiGWEVlYCviLww8Ae79Jfc4LAxfIaEfixiJfX+q9c0 JJBbk5X5/8dWI7WuiTT3pMGKw6QxCvLCNI7QuCgi9MR2u5Sn7ekbvBfUguOOFbfq RQba1gJIA4KzP2T2W3p7qtg2SHcmBHZZlSoMx83RoylHU8SgO2LL82rvyyZvW/eC alnZIvXRgn1kBnrmh7bA3IDyDH4fD3M+dFKI3935AdtnnWJLLCQLE0+jr/LBQsUe hxVgMmA05uGsqZK+/zGX9blvIiamyhsEnzLNA8cQbj2Oe6QFYzYRV/RFjiyiYLxo YqFEE6p/SA3+4GqrEqYzKWOIstXubqv6LL6bX0WVdpjyQlbjkU+BTb1FuuRk3y5r DwKU7s45i1oVJCC3nJooVQLp3CkeZ+RXcZ/XCNddPcqn9qb7prs= =Qlgk -----END PGP SIGNATURE-----