Package: openssh-client Version: 1:8.4p1-5+deb11u1 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: mnalis-debian...@voyager.hr, Debian Security Team <t...@security.debian.org>
"The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system." While it does not affect all users of ssh-agent, it does affect many of them and commonly suggested workaround (using jumphosts instead of agent forwarding) is not applicable to many use cases (git push over ssh, using libpam-ssh-agent-auth, etc.) https://security-tracker.debian.org/tracker/CVE-2023-38408 indicates that the new fixed version 1:9.3p2-1 has been uploaded in sid and trixie, however bookworm (stable) and bullseye (oldstable) still have no security fix since CVE release on 2023-07-20. (workaround by pinning fixed version from trixie is not possible, due to significant libraries clash; and there are no Debian backports either) -- System Information: Debian Release: 11.7 APT prefers oldstable-updates APT policy: (500, 'oldstable-updates'), (500, 'oldstable-security'), (500, 'oldstable') Architecture: amd64 (x86_64) Kernel: Linux 5.10.0-23-amd64 (SMP w/1 CPU thread) Locale: LANG=C, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /bin/dash Init: sysvinit (via /sbin/init) Versions of packages openssh-client depends on: ii adduser 3.118 ii dpkg 1.20.12 ii libc6 2.31-13+deb11u6 ii libedit2 3.1-20210910-1 ii libfido2-1 1.6.0-2 ii libgssapi-krb5-2 1.18.3-6+deb11u3 ii libselinux1 3.1-3 ii libssl1.1 1.1.1n-0+deb11u5 ii passwd 1:4.8.1-1 ii zlib1g 1:1.2.11.dfsg-2+deb11u2 Versions of packages openssh-client recommends: pn xauth <none> Versions of packages openssh-client suggests: pn keychain <none> pn libpam-ssh <none> pn monkeysphere <none> pn ssh-askpass <none> -- no debconf information