X-Recipient: archive-cygwin AT delorie DOT com DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org E86833853D3C DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cygwin.com; s=default; t=1689930789; bh=7tzMLHlouWAEM7uJZbxsFmJQeZ1WUE8eumJrdsz4NPA=; h=To:Date:Subject:List-Id:List-Unsubscribe:List-Archive:List-Post: List-Help:List-Subscribe:From:Reply-To:Cc:From; b=hv2voykEqASIlMZD9e8yDVLiNzDBIym1SR4dlk3vGcNp2Wduamz3PshF8TpzdNulq 0JTiIK2Q2woWWPsdaW0JLA2lMzwdNkHflkrg7H+m8ACsLeyhPN8R8BEMqxi8MC0HFU YUHQ6y5M0fWHpi6I2Y1pByl6IiagDD0gTiT8SNtI= X-Original-To: cygwin AT cygwin DOT com Delivered-To: cygwin AT cygwin DOT com DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 228C13854801 DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org C1FFE385C6DB DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org CD251385482D X-Mailbox-Line: From cygwin-announce-openssh-9.3p2-1 Fri Jul 21 11:10:38 2023 To: cygwin AT cygwin DOT com Date: Fri, 21 Jul 2023 11:10:38 +0200 Message-Id: Subject: [ANNOUNCEMENT] openssh 9.3p2-1 X-BeenThere: cygwin-announce AT cygwin DOT com X-Mailman-Version: 2.1.29 X-Mailer: Perl5 Mail::Internet v2.20 X-BeenThere: cygwin AT cygwin DOT com List-Id: General Cygwin discussions and problem reports List-Archive: List-Post: List-Help: List-Subscribe: , From: Corinna Vinschen via Cygwin-announce via Cygwin Reply-To: cygwin AT cygwin DOT com Cc: Corinna Vinschen via Cygwin-announce MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============6343882576029675245==" Sender: "Cygwin" --===============6343882576029675245== Content-Type: text/plain The following packages have been uploaded to the Cygwin distribution: * openssh-9.3p2-1 OpenSSH is a program for logging into a remote machine and for executing commands on a remote machine. It can replace rlogin and rsh, providing encrypted communication between two machines. ======================================================================= OpenSSH 9.3p2 has just been released. It will be available from the mirrors listed at https://www.openssh.com/ shortly. OpenSSH is a 100% complete SSH protocol 2.0 implementation and includes sftp client and server support. Once again, we would like to thank the OpenSSH community for their continued support of the project, especially those who contributed code or patches, reported bugs, tested snapshots or donated to the project. More information on donations may be found at: https://www.openssh.com/donations.html Changes since OpenSSH 9.3 ========================= This release fixes a security bug. Security ======== Fix CVE-2023-38408 - a condition where specific libaries loaded via ssh-agent(1)'s PKCS#11 support could be abused to achieve remote code execution via a forwarded agent socket if the following conditions are met: * Exploitation requires the presence of specific libraries on   the victim system. * Remote exploitation requires that the agent was forwarded   to an attacker-controlled system. Exploitation can also be prevented by starting ssh-agent(1) with an empty PKCS#11/FIDO allowlist (ssh-agent -P '') or by configuring an allowlist that contains only specific provider libraries. This vulnerability was discovered and demonstrated to be exploitable by the Qualys Security Advisory team. In addition to removing the main precondition for exploitation, this release removes the ability for remote ssh-agent(1) clients to load PKCS#11 modules by default (see below). Potentially-incompatible changes -------------------------------- * ssh-agent(8): the agent will now refuse requests to load PKCS#11 modules issued by remote clients by default. A flag has been added to restore the previous behaviour "-Oallow-remote-pkcs11". Note that ssh-agent(8) depends on the SSH client to identify requests that are remote. The OpenSSH >=8.9 ssh(1) client does this, but forwarding access to an agent socket using other tools may circumvent this restriction. Checksums: ========== - SHA1 (openssh-9.3p2.tar.gz) = 219cf700c317f400bb20b001c0406056f7188ea4 - SHA256 (openssh-9.3p2.tar.gz) = IA6+FH9ss/EB/QzfngJEKvfdyimN/9n0VoeOfMrGdug= Please note that the SHA256 signatures are base64 encoded and not hexadecimal (which is the default for most checksum tools). The PGP key used to sign the releases is available from the mirror sites: https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc Reporting Bugs: =============== - Please read https://www.openssh.com/report.html Security bugs should be reported directly to openssh AT openssh DOT com --===============6343882576029675245== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline -- Problem reports: https://cygwin.com/problems.html FAQ: https://cygwin.com/faq/ Documentation: https://cygwin.com/docs.html Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple --===============6343882576029675245==--