oss-sec mailing list archives

Re: Announce: OpenSSH 9.3p2 released

From: Qualys Security Advisory <qsa () qualys com>
Date: Fri, 21 Jul 2023 12:10:31 +0000

Hi,

On Thu, Jul 20, 2023 at 09:22:08PM -0400, Demi Marie Obenour wrote:

IMO the root cause of this problem is that PKCS#11 libraries are installed
in /usr/lib, rather than in /usr/lib/pkcs11 or another subdirectory.
There should be an automated way to check if a library is a PKCS#11
library without having to load it.


Wednesday's release was a security-only release, the two patches it
contains are very simple, unlikely to break any existing installation,
and one of these patches at least (the s/error/fatal/ one) is very easy
to backport.

But the OpenSSH developers have done an amazing job and have not only
prepared these security-only patches, they have also prepared two more
defense-in-depth patches (which are more intrusive and therefore need
testing by the community first):

https://github.com/openssh/openssh-portable/commit/29ef8a04866ca14688d5b7fed7b8b9deab851f77
https://github.com/openssh/openssh-portable/commit/099cdf59ce1e72f55d421c8445bf6321b3004755

The first one of these patches is probably what you are looking for
("check if a library is a PKCS#11 library without having to load it").

Thanks again to the OpenSSH developers for their incredible work! With
best regards,

-- 
the Qualys Security Advisory team

Current thread:

Announce: OpenSSH 9.3p2 released Damien Miller (Jul 19)
- Re: Announce: OpenSSH 9.3p2 released Demi Marie Obenour (Jul 20)
  - Re: Announce: OpenSSH 9.3p2 released Sevan Janiyan (Jul 20)
    - Re: Announce: OpenSSH 9.3p2 released Matthew Fernandez (Jul 20)
    - Re: Announce: OpenSSH 9.3p2 released Marcus Meissner (Jul 21)
    - Re: Announce: OpenSSH 9.3p2 released Demi Marie Obenour (Jul 21)
    - Re: Announce: OpenSSH 9.3p2 released Qualys Security Advisory (Jul 21)
    - Re: Announce: OpenSSH 9.3p2 released Sevan Janiyan (Jul 21)