Overview

File _patchinfo of Package patchinfo.32181

<patchinfo incident="32181">
  <issue tracker="cve" id="2023-48795"/>
  <issue tracker="cve" id="2022-45047"/>
  <issue tracker="bnc" id="1205463">VUL-0: CVE-2022-45047: apache-sshd: Java unsafe deserialization vulnerability</issue>
  <issue tracker="bnc" id="1218189">VUL-0: CVE-2023-48795: apache-sshd: prefix truncation breaking ssh channel integrity aka Terrapin Attack</issue>
  <packager>fstrba</packager>
  <rating>important</rating>
  <category>security</category>
  <summary>Security update for apache-parent, apache-sshd</summary>
  <description>This update for apache-parent, apache-sshd fixes the following issues:

apache-parent was updated from version 28 to 31:

- Version 31:
  * New Features:
    + Added maven-checkstyle-plugin to pluginManagement
  * Improvements:
    + Set minimalMavenBuildVersion to 3.6.3 - the minimum
      used by plugins
    + Using an SPDX identifier as the license name is
      recommended by Maven
    + Use properties to define the versions of plugins
  * Bugs fixed:
    + Updated documentation for previous changes

apache-sshd was updated from version 2.7.0 to 2.12.0:

- Security issues fixed:
  * CVE-2023-48795: Implemented OpenSSH "strict key exchange" protocol in apache-sshd version 2.12.0 (bsc#1218189)
  * CVE-2022-45047: Java unsafe deserialization vulnerability fixed in apache-sshd version 2.9.2 (bsc#1205463)

- Other changes in version 2.12.0:
  * Bugs fixed:
    + SCP client fails silently when error signalled due to missing file or lacking permissions
    + Ignore unknown key types from agent or in OpenSSH host keys extension
  * New Features:
    + Support GIT protocol-v2
- Other changes in version 2.11.0:
  * Bugs fixed:
    + Added configurable timeout(s) to DefaultSftpClient
    + Compare file keys in ModifiableFileWatcher.
    + Fixed channel pool in SftpFileSystem.
    + Use correct default OpenOptions in SftpFileSystemProvider.newFileChannel().
    + Use correct lock modes for SFTP FileChannel.lock().
    + ScpClient: support issuing commands to a server that uses a non-UTF-8 locale.
    + SftpInputStreamAsync: fix reporting EOF on zero-length reads.
    + Work-around a bug in WS_FTP &lt;= 12.9 SFTP clients.
    + (Regression in 2.10.0) SFTP performance fix: override FilterOutputStream.write(byte[], int, int).
    + Fixed a race condition to ensure SSH_MSG_CHANNEL_EOF is always sent before SSH_MSG_CHANNEL_CLOSE.
    + Fixed error handling while flushing queued packets at end of KEX.
    + Fixed wrong log level on closing an Nio2Session.
    + Fixed detection of Android O/S from system properties.
    + Consider all applicable host keys from the known_hosts files.
    + SftpFileSystem: do not close user session.
    + ChannelAsyncOutputStream: remove write future when done.
    + SSHD-1332 (Regression in 2.10.0) Resolve ~ in IdentityFile file names in HostConfigEntry.
  * New Features:
    + Use KeepAliveHandler global request instance in client as well
    + Publish snapshot maven artifacts to the Apache Snapshots maven repository.
    + Bundle sshd-contrib has support classes for the HAProxy protocol V2.
-  Other changes in version 2.10.0:
  * Bugs fixed:
    + Connection attempt not canceled when a connection timeout occurs
    + Possible OOM in ChannelPipedInputStream
    + SftpRemotePathChannel.transferFrom(...) ignores position argument
    + Rooted file system can leak informations
    + Failed to establish an SSH connection because the server identifier exceeds the int range
  * Improvements:
    + Password in clear in SSHD server's logs
- Other changes in version 2.9.2:
  * Bugs fixed:
    + SFTP worker threads got stuck while processing PUT methods against one specific SFTP server
    + Use the maximum packet size of the communication partner
    + ExplicitPortForwardingTracker does not unbind auto-allocated one
    + Default SshClient FD leak because Selector not closed
    + Reading again from exhausted ChannelExec#getInvertedOut() throws IOException instead of returning -1
    + Keeping error streams and input streams separate after ChannelExec#setRedirectErrorStream(true) is called
    + Nio2Session.shutdownOutput() should wait for writes in progress
  * Test:
    + Research intermittent failure in unit tests using various I/O
      service factories
- Other changes in version 2.9.1:
  * Bugs fixed:
    + ClientSession.auth().verify() is terminated with timeout
    + 2.9.0 release broken on Java 8
    + Infinite loop in org.apache.sshd.sftp.client.impl.SftpInputStreamAsync#doRead
    + Deadlock during session exit
    + Race condition is logged in ChannelAsyncOutputStream
- Other changes in version 2.9.0:
  * Bugs fixed:
    + Deadlock on disconnection at the end of key-exchange
    + Remote port forwarding mode does not handle EOF properly
    + Public key authentication: wrong signature algorithm used (ed25519 key with ssh-rsa signature)
    + Client fails window adjust above Integer.MAX_VALUE
    + class loader fails to load org.apache.sshd.common.cipher.BaseGCMCipher
    + Shell is not getting closed if the command has already closed the OutputStream it is using.
    + Sometimes async write listener is not called
    + Unhandled SSH_MSG_CHANNEL_WINDOW_ADJUST leeds to SocketTimeoutException
    + different host key algorithm used on rekey than used for the initial connection
    + OpenSSH certificate is not properly encoded when critical options are included
    + TCP/IP remote port forwarding with wildcard IP addresses doesn't work with OpenSSH
    + UserAuthPublicKey: uses ssh-rsa signatures for RSA keys from an agent
  * New Features:
    + Added support for Argon2 encrypted PUTTY key files
    + Added support for merged inverted output and error streams of remote process
  * Improvements:
    + Added support for "limits@openssh.com" SFTP extension
    + Support host-based pubkey authentication in the client
    + Send environment variable and open subsystem at the same time for SSH session
- Other changes in version 2.8.0:
  * Bugs fixed:
    + Fixed wrong server key algorithm choice
    + Expiration of OpenSshCertificates needs to compare timestamps as unsigned long
    + SFTP Get downloads empty file from servers which supports EOF indication after data
    + skip() doesn't work properly in SftpInputStreamAsync
    + OpenMode and CopyMode is not honored as expected in version &gt; 4 of SFTP api
    + SftpTransferTest sometimes hangs (failure during rekeying)
    + Race condition in KEX
    + Fix the ciphers supported documentation
    + Update tarLongFileMode to use POSIX
    + WinsCP transfer failure to Apache SSHD Server
    + Pubkey auth: keys from ssh-agent are used even if HostConfigEntry.isIdentitiesOnly() is true
    + Support RSA SHA2 signatures via SSH agent
    + NOTICE: wrong copyright year range
    + Wrong creationTime in writeAttrs for SFTP
    + sshd-netty logs all traffic on INFO level
  * New Features:
    + Add support for chacha20-poly1305@openssh.com
    + Parsing of ~/.ssh/config Host patterns fails with extra
      whitespace
    + Support generating OpenSSH client certificates
  * Improvements:
    + Add support for curve25519-sha256@libssh.org key exchange
    + OpenSSH certificates: check certificate type
    + OpenSSHCertificatesTest: certificates expire in 2030
    + Display IdleTimeOut in more user-friendly format
    + sendChunkIfRemoteWindowIsSmallerThanPacketSize flag in ChannelAsyncOutputStream constructor configurable from
      outside using variable/config file
    + Intercepting the server exception message from server in SSHD client
    + Implement RFC 8332 server-sig-algs on the server
    + Slow performance listing huge number of files on Apache SSHD server
    + SFTP: too many LSTAT calls
    + Support key constraints when adding a key to an SSH agent
    + Add SFTP server side file custom attributes hook

</description>
</patchinfo>
openSUSE Build Service is sponsored by
Places