Overview

File _patchinfo of Package patchinfo.29890

<patchinfo incident="29890">
  <issue tracker="cve" id="2023-38408"/>
  <issue tracker="bnc" id="1186673">CC: openssh is not always clearing keys</issue>
  <issue tracker="bnc" id="1213004">SSH session keys not deleted after session ends</issue>
  <issue tracker="bnc" id="1213008">CC: openssh is not always clearing keys</issue>
  <issue tracker="bnc" id="1209536">SLES15 SP5 S202302-1 - openssh missing or bad close() calls causes openssl-ibmca engine not directing work to accelerator cards (regression)</issue>
  <issue tracker="bnc" id="1213504">CVE-2023-38408: openssh: Remote Code Execution in OpenSSH's forwarded ssh-agent</issue>
  <packager>simotek</packager>
  <rating>important</rating>
  <category>security</category>
  <summary>Security update for openssh</summary>
  <description>This update for openssh fixes the following issues:

- CVE-2023-38408: Fixed a condition where specific libaries loaded via
  ssh-agent(1)'s PKCS#11 support could be abused to achieve remote code
  execution via a forwarded agent socket if those libraries were present on the
  victim's system and if the agent was forwarded to an attacker-controlled
  system. [bsc#1213504, CVE-2023-38408]

- Close the right filedescriptor and also close fdh in read_hmac to avoid file
  descriptor leaks. [bsc#1209536]

- Attempts to mitigate instances of secrets lingering in memory after a session
  exits. [bsc#1186673, bsc#1213004, bsc#1213008]
</description>
</patchinfo>
openSUSE Build Service is sponsored by
Places