| delorie.com/archives/browse.cgi | search |
| X-Recipient: | archive-cygwin AT delorie DOT com |
| DKIM-Filter: | OpenDKIM Filter v2.11.0 sourceware.org E86833853D3C |
| DKIM-Signature: | v=1; a=rsa-sha256; c=relaxed/relaxed; d=cygwin.com; |
| s=default; t=1689930789; | |
| bh=7tzMLHlouWAEM7uJZbxsFmJQeZ1WUE8eumJrdsz4NPA=; | |
| h=To:Date:Subject:List-Id:List-Unsubscribe:List-Archive:List-Post: | |
| List-Help:List-Subscribe:From:Reply-To:Cc:From; | |
| b=hv2voykEqASIlMZD9e8yDVLiNzDBIym1SR4dlk3vGcNp2Wduamz3PshF8TpzdNulq | |
| 0JTiIK2Q2woWWPsdaW0JLA2lMzwdNkHflkrg7H+m8ACsLeyhPN8R8BEMqxi8MC0HFU | |
| YUHQ6y5M0fWHpi6I2Y1pByl6IiagDD0gTiT8SNtI= | |
| X-Original-To: | cygwin AT cygwin DOT com |
| Delivered-To: | cygwin AT cygwin DOT com |
| DKIM-Filter: | OpenDKIM Filter v2.11.0 sourceware.org 228C13854801 |
| DKIM-Filter: | OpenDKIM Filter v2.11.0 sourceware.org C1FFE385C6DB |
| DKIM-Filter: | OpenDKIM Filter v2.11.0 sourceware.org CD251385482D |
| X-Mailbox-Line: | From cygwin-announce-openssh-9.3p2-1 Fri Jul 21 11:10:38 2023 |
| To: | cygwin AT cygwin DOT com |
| Date: | Fri, 21 Jul 2023 11:10:38 +0200 |
| Message-Id: | <announce.20230721111038.3685945-1-corinna-cygwin@cygwin.com> |
| Subject: | [ANNOUNCEMENT] openssh 9.3p2-1 |
| X-BeenThere: | cygwin-announce AT cygwin DOT com |
| X-Mailman-Version: | 2.1.29 |
| X-Mailer: | Perl5 Mail::Internet v2.20 |
| X-BeenThere: | cygwin AT cygwin DOT com |
| List-Id: | General Cygwin discussions and problem reports <cygwin.cygwin.com> |
| List-Archive: | <https://cygwin.com/pipermail/cygwin/> |
| List-Post: | <mailto:cygwin AT cygwin DOT com> |
| List-Help: | <mailto:cygwin-request AT cygwin DOT com?subject=help> |
| List-Subscribe: | <https://cygwin.com/mailman/listinfo/cygwin>, |
| <mailto:cygwin-request AT cygwin DOT com?subject=subscribe> | |
| From: | Corinna Vinschen via Cygwin-announce via Cygwin <cygwin AT cygwin DOT com> |
| Reply-To: | cygwin AT cygwin DOT com |
| Cc: | Corinna Vinschen via Cygwin-announce <cygwin-announce AT cygwin DOT com> |
| MIME-Version: | 1.0 |
| Sender: | "Cygwin" <cygwin-bounces+archive-cygwin=delorie DOT com AT cygwin DOT com> |
--===============6343882576029675245== Content-Type: text/plain The following packages have been uploaded to the Cygwin distribution: * openssh-9.3p2-1 OpenSSH is a program for logging into a remote machine and for executing commands on a remote machine. It can replace rlogin and rsh, providing encrypted communication between two machines. ======================================================================= OpenSSH 9.3p2 has just been released. It will be available from the mirrors listed at https://www.openssh.com/ shortly. OpenSSH is a 100% complete SSH protocol 2.0 implementation and includes sftp client and server support. Once again, we would like to thank the OpenSSH community for their continued support of the project, especially those who contributed code or patches, reported bugs, tested snapshots or donated to the project. More information on donations may be found at: https://www.openssh.com/donations.html Changes since OpenSSH 9.3 ========================= This release fixes a security bug. Security ======== Fix CVE-2023-38408 - a condition where specific libaries loaded via ssh-agent(1)'s PKCS#11 support could be abused to achieve remote code execution via a forwarded agent socket if the following conditions are met: * Exploitation requires the presence of specific libraries on  the victim system. * Remote exploitation requires that the agent was forwarded  to an attacker-controlled system. Exploitation can also be prevented by starting ssh-agent(1) with an empty PKCS#11/FIDO allowlist (ssh-agent -P '') or by configuring an allowlist that contains only specific provider libraries. This vulnerability was discovered and demonstrated to be exploitable by the Qualys Security Advisory team. In addition to removing the main precondition for exploitation, this release removes the ability for remote ssh-agent(1) clients to load PKCS#11 modules by default (see below). Potentially-incompatible changes -------------------------------- * ssh-agent(8): the agent will now refuse requests to load PKCS#11 modules issued by remote clients by default. A flag has been added to restore the previous behaviour "-Oallow-remote-pkcs11". Note that ssh-agent(8) depends on the SSH client to identify requests that are remote. The OpenSSH >=8.9 ssh(1) client does this, but forwarding access to an agent socket using other tools may circumvent this restriction. Checksums: ========== - SHA1 (openssh-9.3p2.tar.gz) = 219cf700c317f400bb20b001c0406056f7188ea4 - SHA256 (openssh-9.3p2.tar.gz) = IA6+FH9ss/EB/QzfngJEKvfdyimN/9n0VoeOfMrGdug= Please note that the SHA256 signatures are base64 encoded and not hexadecimal (which is the default for most checksum tools). The PGP key used to sign the releases is available from the mirror sites: https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc Reporting Bugs: =============== - Please read https://www.openssh.com/report.html Security bugs should be reported directly to openssh AT openssh DOT com --===============6343882576029675245== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline -- Problem reports: https://cygwin.com/problems.html FAQ: https://cygwin.com/faq/ Documentation: https://cygwin.com/docs.html Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple --===============6343882576029675245==--
| webmaster | delorie software privacy |
| Copyright © 2019 by DJ Delorie | Updated Jul 2019 |