Secure Shell Client and Server (Remote Login Program)
SSH (Secure Shell) is a program for logging into and executing commands
on a remote machine. It is intended to replace rsh (rlogin and rsh) and
provides openssl (secure encrypted communication) between two untrusted
hosts over an insecure network.
xorg-x11 (X Window System) connections and arbitrary TCP/IP ports can
also be forwarded over the secure channel.
- Developed at network
- Sources inherited from project openSUSE:Factory
-
18
derived packages
- Download package
-
Checkout Package
osc -A https://api.opensuse.org checkout openSUSE:Backports:SLE-15-SP4:SLECandidates/openssh && cd $_ - Create Badge
Refresh
Refresh
Source Files
Revision 165 (latest revision is 177)
Ana Guerrero (anag+factory)
accepted
request 1099856
from
Marcus Meissner (msmeissn)
(revision 165)
- Update to openssh 9.3p2
* No changes for askpass, see main package changelog for
details
- Update to openssh 9.3p2 (bsc#1213504, CVE-2023-38408):
Security
========
Fix CVE-2023-38408 - a condition where specific libaries loaded via
ssh-agent(1)'s PKCS#11 support could be abused to achieve remote
code execution via a forwarded agent socket if the following
conditions are met:
* Exploitation requires the presence of specific libraries on
the victim system.
* Remote exploitation requires that the agent was forwarded
to an attacker-controlled system.
Exploitation can also be prevented by starting ssh-agent(1) with an
empty PKCS#11/FIDO allowlist (ssh-agent -P '') or by configuring
an allowlist that contains only specific provider libraries.
This vulnerability was discovered and demonstrated to be exploitable
by the Qualys Security Advisory team.
In addition to removing the main precondition for exploitation,
this release removes the ability for remote ssh-agent(1) clients
to load PKCS#11 modules by default (see below).
Potentially-incompatible changes
--------------------------------
* ssh-agent(8): the agent will now refuse requests to load PKCS#11
modules issued by remote clients by default. A flag has been added
to restore the previous behaviour "-Oallow-remote-pkcs11".
Note that ssh-agent(8) depends on the SSH client to identify
requests that are remote. The OpenSSH >=8.9 ssh(1) client does
this, but forwarding access to an agent socket using other tools
may circumvent this restriction. (forwarded request 1099810 from simotek)
Comments 4
Is it possible to upgrade to a more recent version, please?
openSSH-7.8 is available
OpenSSH 7.8p1 is available: https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-7.8p1.tar.gz
Hello, is it possible to adhere to the new guidance regarding systemd ( https://en.opensuse.org/openSUSE:Systemd_packaging_guidelines#Requirements )? That is, dropping %{?systemd_requires} and using %{?systemd_ordering} instead. This is interesting for containers, git-core requires openssh which in turn requires systemd which requires many other things. Thanks in advance.