ELSA-2023-12711

Опубликовано: 10 авг. 2023

Источник: oracle-oval

Платформа: Oracle Linux 7

Описание

ELSA-2023-12711: openssh security update (CRITICAL)

[7.4p1-23.0.1_fips]

Change Epoch from 1 to 10
Enable fips KDF POST [Orabug: 32461750]
Disable diffie-hellman-group-exchange-sha256 KEX FIPS method [Orabug: 32461739]

[7.4p1-23.0.1]

enlarge format buffer size for certificate serial number so the log message can record any 64-bit integer without truncation (openssh bz#3012) [Orabug: 30448895]

[7.4p1-23 + 0.10.3-2]

Avoid remote code execution in ssh-agent PKCS#11 support Resolves: CVE-2023-38408

Обновленные пакеты

Oracle Linux 7

Oracle Linux aarch64

openssh

7.4p1-23.0.1.el7_9_fips

openssh-askpass

7.4p1-23.0.1.el7_9_fips

openssh-cavs

7.4p1-23.0.1.el7_9_fips

openssh-clients

7.4p1-23.0.1.el7_9_fips

openssh-keycat

7.4p1-23.0.1.el7_9_fips

openssh-ldap

7.4p1-23.0.1.el7_9_fips

openssh-server

7.4p1-23.0.1.el7_9_fips

openssh-server-sysvinit

7.4p1-23.0.1.el7_9_fips

pam_ssh_agent_auth

0.10.3-2.23.0.1.el7_9_fips

Oracle Linux x86_64

openssh

7.4p1-23.0.1.el7_9_fips

openssh-askpass

7.4p1-23.0.1.el7_9_fips

openssh-cavs

7.4p1-23.0.1.el7_9_fips

openssh-clients

7.4p1-23.0.1.el7_9_fips

openssh-keycat

7.4p1-23.0.1.el7_9_fips

openssh-ldap

7.4p1-23.0.1.el7_9_fips

openssh-server

7.4p1-23.0.1.el7_9_fips

openssh-server-sysvinit

7.4p1-23.0.1.el7_9_fips

pam_ssh_agent_auth

0.10.3-2.23.0.1.el7_9_fips

Связанные CVE

CVE-2023-38408

Ссылки на источники

Связанные уязвимости

CVE-2023-38408

CVSS3: 9.8

ubuntu

почти 2 года назад

The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009.