Overview
Request 1088447 superseded
- Update to openssh 9.3p1
* No changes for askpass, see main package changelog for
details
- Update to openssh 9.3p1:
= Security
* ssh-add(1): when adding smartcard keys to ssh-agent(1) with the
per-hop destination constraints (ssh-add -h ...) added in
OpenSSH 8.9, a logic error prevented the constraints from being
communicated to the agent. This resulted in the keys being added
without constraints. The common cases of non-smartcard keys and
keys without destination constraints are unaffected. This
problem was reported by Luci Stanescu.
* ssh(1): Portable OpenSSH provides an implementation of the
getrrsetbyname(3) function if the standard library does not
provide it, for use by the VerifyHostKeyDNS feature. A
specifically crafted DNS response could cause this function to
perform an out-of-bounds read of adjacent stack data, but this
condition does not appear to be exploitable beyond denial-of-
service to the ssh(1) client.
The getrrsetbyname(3) replacement is only included if the
system's standard library lacks this function and portable
OpenSSH was not compiled with the ldns library (--with-ldns).
getrrsetbyname(3) is only invoked if using VerifyHostKeyDNS to
fetch SSHFP records. This problem was found by the Coverity
static analyzer.
= New features
* ssh-keygen(1), ssh-keyscan(1): accept -Ohashalg=sha1|sha256
when outputting SSHFP fingerprints to allow algorithm
selection. bz3493 (forwarded request 1087770 from alarrosa)
- Created by hpjansson
- In state superseded
- Superseded by 1099856
Request History
hpjansson created request
- Update to openssh 9.3p1
* No changes for askpass, see main package changelog for
details
- Update to openssh 9.3p1:
= Security
* ssh-add(1): when adding smartcard keys to ssh-agent(1) with the
per-hop destination constraints (ssh-add -h ...) added in
OpenSSH 8.9, a logic error prevented the constraints from being
communicated to the agent. This resulted in the keys being added
without constraints. The common cases of non-smartcard keys and
keys without destination constraints are unaffected. This
problem was reported by Luci Stanescu.
* ssh(1): Portable OpenSSH provides an implementation of the
getrrsetbyname(3) function if the standard library does not
provide it, for use by the VerifyHostKeyDNS feature. A
specifically crafted DNS response could cause this function to
perform an out-of-bounds read of adjacent stack data, but this
condition does not appear to be exploitable beyond denial-of-
service to the ssh(1) client.
The getrrsetbyname(3) replacement is only included if the
system's standard library lacks this function and portable
OpenSSH was not compiled with the ldns library (--with-ldns).
getrrsetbyname(3) is only invoked if using VerifyHostKeyDNS to
fetch SSHFP records. This problem was found by the Coverity
static analyzer.
= New features
* ssh-keygen(1), ssh-keyscan(1): accept -Ohashalg=sha1|sha256
when outputting SSHFP fingerprints to allow algorithm
selection. bz3493 (forwarded request 1087770 from alarrosa)
factory-auto added opensuse-review-team as a reviewer
Please review sources
factory-auto accepted review
Check script succeeded
licensedigger accepted review
ok
dimstar_suse set openSUSE:Factory:Staging:E as a staging project
Being evaluated by staging project "openSUSE:Factory:Staging:E"
dimstar_suse accepted review
Picked "openSUSE:Factory:Staging:E"
dimstar_suse added factory-staging as a reviewer
Being evaluated by group "factory-staging"
dimstar_suse accepted review
Unstaged from project "openSUSE:Factory:Staging:E"
dimstar_suse set openSUSE:Factory:Staging:D as a staging project
Being evaluated by staging project "openSUSE:Factory:Staging:D"
dimstar_suse accepted review
Picked "openSUSE:Factory:Staging:D"
dimstar_suse added factory-staging as a reviewer
Being evaluated by group "factory-staging"
dimstar_suse accepted review
Unstaged from project "openSUSE:Factory:Staging:D"
dimstar_suse set openSUSE:Factory:Staging:F as a staging project
Being evaluated by staging project "openSUSE:Factory:Staging:F"
dimstar_suse accepted review
Picked "openSUSE:Factory:Staging:F"
dimstar_suse added factory-staging as a reviewer
Being evaluated by group "factory-staging"
dimstar_suse accepted review
Unstaged from project "openSUSE:Factory:Staging:F"
dimstar_suse set openSUSE:Factory:Staging:L as a staging project
Being evaluated by staging project "openSUSE:Factory:Staging:L"
dimstar_suse accepted review
Picked "openSUSE:Factory:Staging:L"
dimstar_suse added factory-staging as a reviewer
Being evaluated by group "factory-staging"
dimstar_suse accepted review
Unstaged from project "openSUSE:Factory:Staging:L"
dimstar_suse set openSUSE:Factory:Staging:M as a staging project
Being evaluated by staging project "openSUSE:Factory:Staging:M"
dimstar_suse accepted review
Picked "openSUSE:Factory:Staging:M"
darix accepted review
Accepted review for by_group opensuse-review-team request 1088447 from user dimstar_suse
staging-bot added factory-staging as a reviewer
Being evaluated by group "factory-staging"
staging-bot accepted review
Unstaged from project "openSUSE:Factory:Staging:M"
staging-bot declined review
sr#1090577 has newer source and is from the same project
staging-bot declined request
sr#1090577 has newer source and is from the same project
superseded by 1099856
Trim changelog to about 30 lines.
https://openqa.opensuse.org/tests/3313061#step/sshd/142
https://progress.opensuse.org/issues/130240