SUSE-SU-2024:0224-1: important: Security update for apache-parent, apache-sshd
SLE-SECURITY-UPDATES
null at suse.de
Thu Jan 25 12:30:29 UTC 2024
# Security update for apache-parent, apache-sshd
Announcement ID: SUSE-SU-2024:0224-1
Rating: important
References:
* bsc#1205463
* bsc#1218189
Cross-References:
* CVE-2022-45047
* CVE-2023-48795
CVSS scores:
* CVE-2022-45047 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
* CVE-2023-48795 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
* CVE-2023-48795 ( NVD ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Affected Products:
* Development Tools Module 15-SP5
* openSUSE Leap 15.5
* SUSE Enterprise Storage 7.1
* SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4
* SUSE Linux Enterprise Desktop 15 SP5
* SUSE Linux Enterprise High Performance Computing 15 SP2
* SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2
* SUSE Linux Enterprise High Performance Computing 15 SP3
* SUSE Linux Enterprise High Performance Computing 15 SP4
* SUSE Linux Enterprise High Performance Computing 15 SP5
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP3
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP4
* SUSE Linux Enterprise Real Time 15 SP5
* SUSE Linux Enterprise Server 15 SP2
* SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2
* SUSE Linux Enterprise Server 15 SP3
* SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3
* SUSE Linux Enterprise Server 15 SP4
* SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4
* SUSE Linux Enterprise Server 15 SP5
* SUSE Linux Enterprise Server for SAP Applications 15 SP2
* SUSE Linux Enterprise Server for SAP Applications 15 SP3
* SUSE Linux Enterprise Server for SAP Applications 15 SP4
* SUSE Linux Enterprise Server for SAP Applications 15 SP5
An update that solves two vulnerabilities can now be installed.
## Description:
This update for apache-parent, apache-sshd fixes the following issues:
apache-parent was updated from version 28 to 31:
* Version 31:
* New Features:
* Added maven-checkstyle-plugin to pluginManagement
* Improvements:
* Set minimalMavenBuildVersion to 3.6.3 - the minimum used by plugins
* Using an SPDX identifier as the license name is recommended by Maven
* Use properties to define the versions of plugins
* Bugs fixed:
* Updated documentation for previous changes
apache-sshd was updated from version 2.7.0 to 2.12.0:
* Security issues fixed:
* CVE-2023-48795: Implemented OpenSSH "strict key exchange" protocol in
apache-sshd version 2.12.0 (bsc#1218189)
* CVE-2022-45047: Java unsafe deserialization vulnerability fixed in apache-
sshd version 2.9.2 (bsc#1205463)
* Other changes in version 2.12.0:
* Bugs fixed:
* SCP client fails silently when error signalled due to missing file or lacking permissions
* Ignore unknown key types from agent or in OpenSSH host keys extension
* New Features:
* Support GIT protocol-v2
* Other changes in version 2.11.0:
* Bugs fixed:
* Added configurable timeout(s) to DefaultSftpClient
* Compare file keys in ModifiableFileWatcher.
* Fixed channel pool in SftpFileSystem.
* Use correct default OpenOptions in SftpFileSystemProvider.newFileChannel().
* Use correct lock modes for SFTP FileChannel.lock().
* ScpClient: support issuing commands to a server that uses a non-UTF-8 locale.
* SftpInputStreamAsync: fix reporting EOF on zero-length reads.
* Work-around a bug in WS_FTP <= 12.9 SFTP clients.
* (Regression in 2.10.0) SFTP performance fix: override FilterOutputStream.write(byte[], int, int).
* Fixed a race condition to ensure SSH_MSG_CHANNEL_EOF is always sent before SSH_MSG_CHANNEL_CLOSE.
* Fixed error handling while flushing queued packets at end of KEX.
* Fixed wrong log level on closing an Nio2Session.
* Fixed detection of Android O/S from system properties.
* Consider all applicable host keys from the known_hosts files.
* SftpFileSystem: do not close user session.
* ChannelAsyncOutputStream: remove write future when done.
* SSHD-1332 (Regression in 2.10.0) Resolve ~ in IdentityFile file names in HostConfigEntry.
* New Features:
* Use KeepAliveHandler global request instance in client as well
* Publish snapshot maven artifacts to the Apache Snapshots maven repository.
* Bundle sshd-contrib has support classes for the HAProxy protocol V2.
* Other changes in version 2.10.0:
* Bugs fixed:
* Connection attempt not canceled when a connection timeout occurs
* Possible OOM in ChannelPipedInputStream
* SftpRemotePathChannel.transferFrom(...) ignores position argument
* Rooted file system can leak informations
* Failed to establish an SSH connection because the server identifier exceeds the int range
* Improvements:
* Password in clear in SSHD server's logs
* Other changes in version 2.9.2:
* Bugs fixed:
* SFTP worker threads got stuck while processing PUT methods against one specific SFTP server
* Use the maximum packet size of the communication partner
* ExplicitPortForwardingTracker does not unbind auto-allocated one
* Default SshClient FD leak because Selector not closed
* Reading again from exhausted ChannelExec#getInvertedOut() throws IOException instead of returning -1
* Keeping error streams and input streams separate after ChannelExec#setRedirectErrorStream(true) is called
* Nio2Session.shutdownOutput() should wait for writes in progress
* Test:
* Research intermittent failure in unit tests using various I/O service factories
* Other changes in version 2.9.1:
* Bugs fixed:
* ClientSession.auth().verify() is terminated with timeout
* 2.9.0 release broken on Java 8
* Infinite loop in org.apache.sshd.sftp.client.impl.SftpInputStreamAsync#doRead
* Deadlock during session exit
* Race condition is logged in ChannelAsyncOutputStream
* Other changes in version 2.9.0:
* Bugs fixed:
* Deadlock on disconnection at the end of key-exchange
* Remote port forwarding mode does not handle EOF properly
* Public key authentication: wrong signature algorithm used (ed25519 key with ssh-rsa signature)
* Client fails window adjust above Integer.MAX_VALUE
* class loader fails to load org.apache.sshd.common.cipher.BaseGCMCipher
* Shell is not getting closed if the command has already closed the OutputStream it is using.
* Sometimes async write listener is not called
* Unhandled SSH_MSG_CHANNEL_WINDOW_ADJUST leeds to SocketTimeoutException
* different host key algorithm used on rekey than used for the initial connection
* OpenSSH certificate is not properly encoded when critical options are included
* TCP/IP remote port forwarding with wildcard IP addresses doesn't work with OpenSSH
* UserAuthPublicKey: uses ssh-rsa signatures for RSA keys from an agent
* New Features:
* Added support for Argon2 encrypted PUTTY key files
* Added support for merged inverted output and error streams of remote process
* Improvements:
* Added support for "limits at openssh.com" SFTP extension
* Support host-based pubkey authentication in the client
* Send environment variable and open subsystem at the same time for SSH session
* Other changes in version 2.8.0:
* Bugs fixed:
* Fixed wrong server key algorithm choice
* Expiration of OpenSshCertificates needs to compare timestamps as unsigned long
* SFTP Get downloads empty file from servers which supports EOF indication after data
* skip() doesn't work properly in SftpInputStreamAsync
* OpenMode and CopyMode is not honored as expected in version > 4 of SFTP api
* SftpTransferTest sometimes hangs (failure during rekeying)
* Race condition in KEX
* Fix the ciphers supported documentation
* Update tarLongFileMode to use POSIX
* WinsCP transfer failure to Apache SSHD Server
* Pubkey auth: keys from ssh-agent are used even if HostConfigEntry.isIdentitiesOnly() is true
* Support RSA SHA2 signatures via SSH agent
* NOTICE: wrong copyright year range
* Wrong creationTime in writeAttrs for SFTP
* sshd-netty logs all traffic on INFO level
* New Features:
* Add support for chacha20-poly1305 at openssh.com
* Parsing of ~/.ssh/config Host patterns fails with extra whitespace
* Support generating OpenSSH client certificates
* Improvements:
* Add support for curve25519-sha256 at libssh.org key exchange
* OpenSSH certificates: check certificate type
* OpenSSHCertificatesTest: certificates expire in 2030
* Display IdleTimeOut in more user-friendly format
* sendChunkIfRemoteWindowIsSmallerThanPacketSize flag in ChannelAsyncOutputStream constructor configurable from outside using variable/config file
* Intercepting the server exception message from server in SSHD client
* Implement RFC 8332 server-sig-algs on the server
* Slow performance listing huge number of files on Apache SSHD server
* SFTP: too many LSTAT calls
* Support key constraints when adding a key to an SSH agent
* Add SFTP server side file custom attributes hook
## Patch Instructions:
To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
* openSUSE Leap 15.5
zypper in -t patch openSUSE-SLE-15.5-2024-224=1
* Development Tools Module 15-SP5
zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP5-2024-224=1
* SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2
zypper in -t patch SUSE-SLE-Product-HPC-15-SP2-LTSS-2024-224=1
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP3
zypper in -t patch SUSE-SLE-Product-HPC-15-SP3-LTSS-2024-224=1
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4
zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-ESPOS-2024-224=1
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP4
zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-LTSS-2024-224=1
* SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4
zypper in -t patch SUSE-SLE-Product-SLED-15-SP4-LTSS-2024-224=1
* SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2
zypper in -t patch SUSE-SLE-Product-SLES-15-SP2-LTSS-2024-224=1
* SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3
zypper in -t patch SUSE-SLE-Product-SLES-15-SP3-LTSS-2024-224=1
* SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4
zypper in -t patch SUSE-SLE-Product-SLES-15-SP4-LTSS-2024-224=1
* SUSE Linux Enterprise Server for SAP Applications 15 SP2
zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP2-2024-224=1
* SUSE Linux Enterprise Server for SAP Applications 15 SP3
zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP3-2024-224=1
* SUSE Linux Enterprise Server for SAP Applications 15 SP4
zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP4-2024-224=1
* SUSE Enterprise Storage 7.1
zypper in -t patch SUSE-Storage-7.1-2024-224=1
## Package List:
* openSUSE Leap 15.5 (noarch)
* apache-parent-31-150200.3.12.1
* apache-sshd-javadoc-2.12.0-150200.5.8.1
* apache-sshd-2.12.0-150200.5.8.1
* Development Tools Module 15-SP5 (noarch)
* apache-sshd-2.12.0-150200.5.8.1
* SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (noarch)
* apache-sshd-2.12.0-150200.5.8.1
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (noarch)
* apache-sshd-2.12.0-150200.5.8.1
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (noarch)
* apache-sshd-2.12.0-150200.5.8.1
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (noarch)
* apache-sshd-2.12.0-150200.5.8.1
* SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 (noarch)
* apache-sshd-2.12.0-150200.5.8.1
* SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (noarch)
* apache-sshd-2.12.0-150200.5.8.1
* SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (noarch)
* apache-sshd-2.12.0-150200.5.8.1
* SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (noarch)
* apache-sshd-2.12.0-150200.5.8.1
* SUSE Linux Enterprise Server for SAP Applications 15 SP2 (noarch)
* apache-sshd-2.12.0-150200.5.8.1
* SUSE Linux Enterprise Server for SAP Applications 15 SP3 (noarch)
* apache-sshd-2.12.0-150200.5.8.1
* SUSE Linux Enterprise Server for SAP Applications 15 SP4 (noarch)
* apache-sshd-2.12.0-150200.5.8.1
* SUSE Enterprise Storage 7.1 (noarch)
* apache-sshd-2.12.0-150200.5.8.1
## References:
* https://www.suse.com/security/cve/CVE-2022-45047.html
* https://www.suse.com/security/cve/CVE-2023-48795.html
* https://bugzilla.suse.com/show_bug.cgi?id=1205463
* https://bugzilla.suse.com/show_bug.cgi?id=1218189
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.suse.com/pipermail/sle-security-updates/attachments/20240125/5e16d74c/attachment.htm>
More information about the sle-security-updates
mailing list