Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

suse-cvrf логотип

SUSE-SU-2024:0224-1

Опубликовано: 25 янв. 2024
Источник: suse-cvrf

Описание

Security update for apache-parent, apache-sshd

This update for apache-parent, apache-sshd fixes the following issues:

apache-parent was updated from version 28 to 31:

  • Version 31:
    • New Features:
      • Added maven-checkstyle-plugin to pluginManagement
    • Improvements:
      • Set minimalMavenBuildVersion to 3.6.3 - the minimum used by plugins
      • Using an SPDX identifier as the license name is recommended by Maven
      • Use properties to define the versions of plugins
    • Bugs fixed:
      • Updated documentation for previous changes

apache-sshd was updated from version 2.7.0 to 2.12.0:

  • Security issues fixed:

    • CVE-2023-48795: Implemented OpenSSH 'strict key exchange' protocol in apache-sshd version 2.12.0 (bsc#1218189)
    • CVE-2022-45047: Java unsafe deserialization vulnerability fixed in apache-sshd version 2.9.2 (bsc#1205463)

  • Other changes in version 2.12.0:

    • Bugs fixed:
      • SCP client fails silently when error signalled due to missing file or lacking permissions
      • Ignore unknown key types from agent or in OpenSSH host keys extension
    • New Features:
      • Support GIT protocol-v2

  • Other changes in version 2.11.0:

    • Bugs fixed:
      • Added configurable timeout(s) to DefaultSftpClient
      • Compare file keys in ModifiableFileWatcher.
      • Fixed channel pool in SftpFileSystem.
      • Use correct default OpenOptions in SftpFileSystemProvider.newFileChannel().
      • Use correct lock modes for SFTP FileChannel.lock().
      • ScpClient: support issuing commands to a server that uses a non-UTF-8 locale.
      • SftpInputStreamAsync: fix reporting EOF on zero-length reads.
      • Work-around a bug in WS_FTP <= 12.9 SFTP clients.
      • (Regression in 2.10.0) SFTP performance fix: override FilterOutputStream.write(byte[], int, int).
      • Fixed a race condition to ensure SSH_MSG_CHANNEL_EOF is always sent before SSH_MSG_CHANNEL_CLOSE.
      • Fixed error handling while flushing queued packets at end of KEX.
      • Fixed wrong log level on closing an Nio2Session.
      • Fixed detection of Android O/S from system properties.
      • Consider all applicable host keys from the known_hosts files.
      • SftpFileSystem: do not close user session.
      • ChannelAsyncOutputStream: remove write future when done.
      • SSHD-1332 (Regression in 2.10.0) Resolve ~ in IdentityFile file names in HostConfigEntry.
    • New Features:
      • Use KeepAliveHandler global request instance in client as well
      • Publish snapshot maven artifacts to the Apache Snapshots maven repository.
      • Bundle sshd-contrib has support classes for the HAProxy protocol V2.

  • Other changes in version 2.10.0:

  • Bugs fixed:
    • Connection attempt not canceled when a connection timeout occurs
    • Possible OOM in ChannelPipedInputStream
    • SftpRemotePathChannel.transferFrom(...) ignores position argument
    • Rooted file system can leak informations
    • Failed to establish an SSH connection because the server identifier exceeds the int range
  • Improvements:
    • Password in clear in SSHD server's logs
  • Other changes in version 2.9.2:
    • Bugs fixed:
      • SFTP worker threads got stuck while processing PUT methods against one specific SFTP server
      • Use the maximum packet size of the communication partner
      • ExplicitPortForwardingTracker does not unbind auto-allocated one
      • Default SshClient FD leak because Selector not closed
      • Reading again from exhausted ChannelExec#getInvertedOut() throws IOException instead of returning -1
      • Keeping error streams and input streams separate after ChannelExec#setRedirectErrorStream(true) is called
      • Nio2Session.shutdownOutput() should wait for writes in progress
    • Test:
      • Research intermittent failure in unit tests using various I/O service factories
  • Other changes in version 2.9.1:
    • Bugs fixed:
      • ClientSession.auth().verify() is terminated with timeout
      • 2.9.0 release broken on Java 8
      • Infinite loop in org.apache.sshd.sftp.client.impl.SftpInputStreamAsync#doRead
      • Deadlock during session exit
      • Race condition is logged in ChannelAsyncOutputStream
  • Other changes in version 2.9.0:
    • Bugs fixed:
      • Deadlock on disconnection at the end of key-exchange
      • Remote port forwarding mode does not handle EOF properly
      • Public key authentication: wrong signature algorithm used (ed25519 key with ssh-rsa signature)
      • Client fails window adjust above Integer.MAX_VALUE
      • class loader fails to load org.apache.sshd.common.cipher.BaseGCMCipher
      • Shell is not getting closed if the command has already closed the OutputStream it is using.
      • Sometimes async write listener is not called
      • Unhandled SSH_MSG_CHANNEL_WINDOW_ADJUST leeds to SocketTimeoutException
      • different host key algorithm used on rekey than used for the initial connection
      • OpenSSH certificate is not properly encoded when critical options are included
      • TCP/IP remote port forwarding with wildcard IP addresses doesn't work with OpenSSH
      • UserAuthPublicKey: uses ssh-rsa signatures for RSA keys from an agent
    • New Features:
      • Added support for Argon2 encrypted PUTTY key files
      • Added support for merged inverted output and error streams of remote process
    • Improvements:
      • Added support for 'limits@openssh.com' SFTP extension
      • Support host-based pubkey authentication in the client
      • Send environment variable and open subsystem at the same time for SSH session
  • Other changes in version 2.8.0:
    • Bugs fixed:
      • Fixed wrong server key algorithm choice
      • Expiration of OpenSshCertificates needs to compare timestamps as unsigned long
      • SFTP Get downloads empty file from servers which supports EOF indication after data
      • skip() doesn't work properly in SftpInputStreamAsync
      • OpenMode and CopyMode is not honored as expected in version > 4 of SFTP api
      • SftpTransferTest sometimes hangs (failure during rekeying)
      • Race condition in KEX
      • Fix the ciphers supported documentation
      • Update tarLongFileMode to use POSIX
      • WinsCP transfer failure to Apache SSHD Server
      • Pubkey auth: keys from ssh-agent are used even if HostConfigEntry.isIdentitiesOnly() is true
      • Support RSA SHA2 signatures via SSH agent
      • NOTICE: wrong copyright year range
      • Wrong creationTime in writeAttrs for SFTP
      • sshd-netty logs all traffic on INFO level
    • New Features:
      • Add support for chacha20-poly1305@openssh.com
      • Parsing of ~/.ssh/config Host patterns fails with extra whitespace
      • Support generating OpenSSH client certificates
    • Improvements:
      • Add support for curve25519-sha256@libssh.org key exchange
      • OpenSSH certificates: check certificate type
      • OpenSSHCertificatesTest: certificates expire in 2030
      • Display IdleTimeOut in more user-friendly format
      • sendChunkIfRemoteWindowIsSmallerThanPacketSize flag in ChannelAsyncOutputStream constructor configurable from outside using variable/config file
      • Intercepting the server exception message from server in SSHD client
      • Implement RFC 8332 server-sig-algs on the server
      • Slow performance listing huge number of files on Apache SSHD server
      • SFTP: too many LSTAT calls
      • Support key constraints when adding a key to an SSH agent
      • Add SFTP server side file custom attributes hook

Список пакетов

SUSE Enterprise Storage 7.1
apache-sshd-2.12.0-150200.5.8.1
SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS
apache-sshd-2.12.0-150200.5.8.1
SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS
apache-sshd-2.12.0-150200.5.8.1
SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS
apache-sshd-2.12.0-150200.5.8.1
SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS
apache-sshd-2.12.0-150200.5.8.1
SUSE Linux Enterprise Module for Development Tools 15 SP5
apache-sshd-2.12.0-150200.5.8.1
SUSE Linux Enterprise Server 15 SP2-LTSS
apache-sshd-2.12.0-150200.5.8.1
SUSE Linux Enterprise Server 15 SP3-LTSS
apache-sshd-2.12.0-150200.5.8.1
SUSE Linux Enterprise Server 15 SP4-LTSS
apache-sshd-2.12.0-150200.5.8.1
SUSE Linux Enterprise Server for SAP Applications 15 SP2
apache-sshd-2.12.0-150200.5.8.1
SUSE Linux Enterprise Server for SAP Applications 15 SP3
apache-sshd-2.12.0-150200.5.8.1
SUSE Linux Enterprise Server for SAP Applications 15 SP4
apache-sshd-2.12.0-150200.5.8.1
openSUSE Leap 15.5
apache-parent-31-150200.3.12.1
apache-sshd-2.12.0-150200.5.8.1
apache-sshd-javadoc-2.12.0-150200.5.8.1

Ссылки

Описание

Class org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider in Apache MINA SSHD <= 2.9.1 uses Java deserialization to load a serialized java.security.PrivateKey. The class is one of several implementations that an implementor using Apache MINA SSHD can choose for loading the host keys of an SSH server.

Затронутые продукты
SUSE Enterprise Storage 7.1:apache-sshd-2.12.0-150200.5.8.1
SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:apache-sshd-2.12.0-150200.5.8.1
SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:apache-sshd-2.12.0-150200.5.8.1
SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:apache-sshd-2.12.0-150200.5.8.1
Ссылки

Описание

The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust.

Затронутые продукты
SUSE Enterprise Storage 7.1:apache-sshd-2.12.0-150200.5.8.1
SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:apache-sshd-2.12.0-150200.5.8.1
SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:apache-sshd-2.12.0-150200.5.8.1
SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:apache-sshd-2.12.0-150200.5.8.1
Ссылки
Уязвимость SUSE-SU-2024:0224-1