<div class="container">
<h1>Security update for apache-parent, apache-sshd</h1>
<table class="table table-striped table-bordered">
<tbody>
<tr>
<th>Announcement ID:</th>
<td>SUSE-SU-2024:0224-1</td>
</tr>
<tr>
<th>Rating:</th>
<td>important</td>
</tr>
<tr>
<th>References:</th>
<td>
<ul>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1205463">bsc#1205463</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1218189">bsc#1218189</a>
</li>
</ul>
</td>
</tr>
<tr>
<th>
Cross-References:
</th>
<td>
<ul>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2022-45047.html">CVE-2022-45047</a>
</li>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2023-48795.html">CVE-2023-48795</a>
</li>
</ul>
</td>
</tr>
<tr>
<th>CVSS scores:</th>
<td>
<ul class="list-group">
<li class="list-group-item">
<span class="cvss-reference">CVE-2022-45047</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">9.8</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2023-48795</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">5.9</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2023-48795</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">5.9</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N</span>
</li>
</ul>
</td>
</tr>
<tr>
<th>Affected Products:</th>
<td>
<ul class="list-group">
<li class="list-group-item">Development Tools Module 15-SP5</li>
<li class="list-group-item">openSUSE Leap 15.5</li>
<li class="list-group-item">SUSE Enterprise Storage 7.1</li>
<li class="list-group-item">SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4</li>
<li class="list-group-item">SUSE Linux Enterprise Desktop 15 SP5</li>
<li class="list-group-item">SUSE Linux Enterprise High Performance Computing 15 SP2</li>
<li class="list-group-item">SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2</li>
<li class="list-group-item">SUSE Linux Enterprise High Performance Computing 15 SP3</li>
<li class="list-group-item">SUSE Linux Enterprise High Performance Computing 15 SP4</li>
<li class="list-group-item">SUSE Linux Enterprise High Performance Computing 15 SP5</li>
<li class="list-group-item">SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4</li>
<li class="list-group-item">SUSE Linux Enterprise High Performance Computing LTSS 15 SP3</li>
<li class="list-group-item">SUSE Linux Enterprise High Performance Computing LTSS 15 SP4</li>
<li class="list-group-item">SUSE Linux Enterprise Real Time 15 SP5</li>
<li class="list-group-item">SUSE Linux Enterprise Server 15 SP2</li>
<li class="list-group-item">SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2</li>
<li class="list-group-item">SUSE Linux Enterprise Server 15 SP3</li>
<li class="list-group-item">SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3</li>
<li class="list-group-item">SUSE Linux Enterprise Server 15 SP4</li>
<li class="list-group-item">SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4</li>
<li class="list-group-item">SUSE Linux Enterprise Server 15 SP5</li>
<li class="list-group-item">SUSE Linux Enterprise Server for SAP Applications 15 SP2</li>
<li class="list-group-item">SUSE Linux Enterprise Server for SAP Applications 15 SP3</li>
<li class="list-group-item">SUSE Linux Enterprise Server for SAP Applications 15 SP4</li>
<li class="list-group-item">SUSE Linux Enterprise Server for SAP Applications 15 SP5</li>
</ul>
</td>
</tr>
</tbody>
</table>
<p>An update that solves two vulnerabilities can now be installed.</p>
<h2>Description:</h2>
<p>This update for apache-parent, apache-sshd fixes the following issues:</p>
<p>apache-parent was updated from version 28 to 31:</p>
<ul>
<li>Version 31:</li>
<li>New Features:<ul>
<li>Added maven-checkstyle-plugin to pluginManagement</li>
</ul>
</li>
<li>Improvements:<ul>
<li>Set minimalMavenBuildVersion to 3.6.3 - the minimum
used by plugins</li>
<li>Using an SPDX identifier as the license name is
recommended by Maven</li>
<li>Use properties to define the versions of plugins</li>
</ul>
</li>
<li>Bugs fixed:<ul>
<li>Updated documentation for previous changes</li>
</ul>
</li>
</ul>
<p>apache-sshd was updated from version 2.7.0 to 2.12.0:</p>
<ul>
<li>Security issues fixed:</li>
<li>CVE-2023-48795: Implemented OpenSSH "strict key exchange" protocol in apache-sshd version 2.12.0 (bsc#1218189)</li>
<li>
<p>CVE-2022-45047: Java unsafe deserialization vulnerability fixed in apache-sshd version 2.9.2 (bsc#1205463)</p>
</li>
<li>
<p>Other changes in version 2.12.0:</p>
</li>
<li>Bugs fixed:<ul>
<li>SCP client fails silently when error signalled due to missing file or lacking permissions</li>
<li>Ignore unknown key types from agent or in OpenSSH host keys extension</li>
</ul>
</li>
<li>New Features:<ul>
<li>Support GIT protocol-v2</li>
</ul>
</li>
<li>Other changes in version 2.11.0:</li>
<li>Bugs fixed:<ul>
<li>Added configurable timeout(s) to DefaultSftpClient</li>
<li>Compare file keys in ModifiableFileWatcher.</li>
<li>Fixed channel pool in SftpFileSystem.</li>
<li>Use correct default OpenOptions in SftpFileSystemProvider.newFileChannel().</li>
<li>Use correct lock modes for SFTP FileChannel.lock().</li>
<li>ScpClient: support issuing commands to a server that uses a non-UTF-8 locale.</li>
<li>SftpInputStreamAsync: fix reporting EOF on zero-length reads.</li>
<li>Work-around a bug in WS_FTP <= 12.9 SFTP clients.</li>
<li>(Regression in 2.10.0) SFTP performance fix: override FilterOutputStream.write(byte[], int, int).</li>
<li>Fixed a race condition to ensure SSH_MSG_CHANNEL_EOF is always sent before SSH_MSG_CHANNEL_CLOSE.</li>
<li>Fixed error handling while flushing queued packets at end of KEX.</li>
<li>Fixed wrong log level on closing an Nio2Session.</li>
<li>Fixed detection of Android O/S from system properties.</li>
<li>Consider all applicable host keys from the known_hosts files.</li>
<li>SftpFileSystem: do not close user session.</li>
<li>ChannelAsyncOutputStream: remove write future when done.</li>
<li>SSHD-1332 (Regression in 2.10.0) Resolve ~ in IdentityFile file names in HostConfigEntry.</li>
</ul>
</li>
<li>New Features:<ul>
<li>Use KeepAliveHandler global request instance in client as well</li>
<li>Publish snapshot maven artifacts to the Apache Snapshots maven repository.</li>
<li>Bundle sshd-contrib has support classes for the HAProxy protocol V2.</li>
</ul>
</li>
<li>Other changes in version 2.10.0:</li>
<li>Bugs fixed:<ul>
<li>Connection attempt not canceled when a connection timeout occurs</li>
<li>Possible OOM in ChannelPipedInputStream</li>
<li>SftpRemotePathChannel.transferFrom(...) ignores position argument</li>
<li>Rooted file system can leak informations</li>
<li>Failed to establish an SSH connection because the server identifier exceeds the int range</li>
</ul>
</li>
<li>Improvements:<ul>
<li>Password in clear in SSHD server's logs</li>
</ul>
</li>
<li>Other changes in version 2.9.2:</li>
<li>Bugs fixed:<ul>
<li>SFTP worker threads got stuck while processing PUT methods against one specific SFTP server</li>
<li>Use the maximum packet size of the communication partner</li>
<li>ExplicitPortForwardingTracker does not unbind auto-allocated one</li>
<li>Default SshClient FD leak because Selector not closed</li>
<li>Reading again from exhausted ChannelExec#getInvertedOut() throws IOException instead of returning -1</li>
<li>Keeping error streams and input streams separate after ChannelExec#setRedirectErrorStream(true) is called</li>
<li>Nio2Session.shutdownOutput() should wait for writes in progress</li>
</ul>
</li>
<li>Test:<ul>
<li>Research intermittent failure in unit tests using various I/O
service factories</li>
</ul>
</li>
<li>Other changes in version 2.9.1:</li>
<li>Bugs fixed:<ul>
<li>ClientSession.auth().verify() is terminated with timeout</li>
<li>2.9.0 release broken on Java 8</li>
<li>Infinite loop in org.apache.sshd.sftp.client.impl.SftpInputStreamAsync#doRead</li>
<li>Deadlock during session exit</li>
<li>Race condition is logged in ChannelAsyncOutputStream</li>
</ul>
</li>
<li>Other changes in version 2.9.0:</li>
<li>Bugs fixed:<ul>
<li>Deadlock on disconnection at the end of key-exchange</li>
<li>Remote port forwarding mode does not handle EOF properly</li>
<li>Public key authentication: wrong signature algorithm used (ed25519 key with ssh-rsa signature)</li>
<li>Client fails window adjust above Integer.MAX_VALUE</li>
<li>class loader fails to load org.apache.sshd.common.cipher.BaseGCMCipher</li>
<li>Shell is not getting closed if the command has already closed the OutputStream it is using.</li>
<li>Sometimes async write listener is not called</li>
<li>Unhandled SSH_MSG_CHANNEL_WINDOW_ADJUST leeds to SocketTimeoutException</li>
<li>different host key algorithm used on rekey than used for the initial connection</li>
<li>OpenSSH certificate is not properly encoded when critical options are included</li>
<li>TCP/IP remote port forwarding with wildcard IP addresses doesn't work with OpenSSH</li>
<li>UserAuthPublicKey: uses ssh-rsa signatures for RSA keys from an agent</li>
</ul>
</li>
<li>New Features:<ul>
<li>Added support for Argon2 encrypted PUTTY key files</li>
<li>Added support for merged inverted output and error streams of remote process</li>
</ul>
</li>
<li>Improvements:<ul>
<li>Added support for "limits@openssh.com" SFTP extension</li>
<li>Support host-based pubkey authentication in the client</li>
<li>Send environment variable and open subsystem at the same time for SSH session</li>
</ul>
</li>
<li>Other changes in version 2.8.0:</li>
<li>Bugs fixed:<ul>
<li>Fixed wrong server key algorithm choice</li>
<li>Expiration of OpenSshCertificates needs to compare timestamps as unsigned long</li>
<li>SFTP Get downloads empty file from servers which supports EOF indication after data</li>
<li>skip() doesn't work properly in SftpInputStreamAsync</li>
<li>OpenMode and CopyMode is not honored as expected in version > 4 of SFTP api</li>
<li>SftpTransferTest sometimes hangs (failure during rekeying)</li>
<li>Race condition in KEX</li>
<li>Fix the ciphers supported documentation</li>
<li>Update tarLongFileMode to use POSIX</li>
<li>WinsCP transfer failure to Apache SSHD Server</li>
<li>Pubkey auth: keys from ssh-agent are used even if HostConfigEntry.isIdentitiesOnly() is true</li>
<li>Support RSA SHA2 signatures via SSH agent</li>
<li>NOTICE: wrong copyright year range</li>
<li>Wrong creationTime in writeAttrs for SFTP</li>
<li>sshd-netty logs all traffic on INFO level</li>
</ul>
</li>
<li>New Features:<ul>
<li>Add support for chacha20-poly1305@openssh.com</li>
<li>Parsing of ~/.ssh/config Host patterns fails with extra
whitespace</li>
<li>Support generating OpenSSH client certificates</li>
</ul>
</li>
<li>Improvements:<ul>
<li>Add support for curve25519-sha256@libssh.org key exchange</li>
<li>OpenSSH certificates: check certificate type</li>
<li>OpenSSHCertificatesTest: certificates expire in 2030</li>
<li>Display IdleTimeOut in more user-friendly format</li>
<li>sendChunkIfRemoteWindowIsSmallerThanPacketSize flag in ChannelAsyncOutputStream constructor configurable from
outside using variable/config file</li>
<li>Intercepting the server exception message from server in SSHD client</li>
<li>Implement RFC 8332 server-sig-algs on the server</li>
<li>Slow performance listing huge number of files on Apache SSHD server</li>
<li>SFTP: too many LSTAT calls</li>
<li>Support key constraints when adding a key to an SSH agent</li>
<li>Add SFTP server side file custom attributes hook</li>
</ul>
</li>
</ul>
<h2>Patch Instructions:</h2>
<p>
To install this SUSE update use the SUSE recommended
installation methods like YaST online_update or "zypper patch".<br/>
Alternatively you can run the command listed for your product:
</p>
<ul class="list-group">
<li class="list-group-item">
openSUSE Leap 15.5
<br/>
<code>zypper in -t patch openSUSE-SLE-15.5-2024-224=1</code>
</li>
<li class="list-group-item">
Development Tools Module 15-SP5
<br/>
<code>zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP5-2024-224=1</code>
</li>
<li class="list-group-item">
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2
<br/>
<code>zypper in -t patch SUSE-SLE-Product-HPC-15-SP2-LTSS-2024-224=1</code>
</li>
<li class="list-group-item">
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3
<br/>
<code>zypper in -t patch SUSE-SLE-Product-HPC-15-SP3-LTSS-2024-224=1</code>
</li>
<li class="list-group-item">
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4
<br/>
<code>zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-ESPOS-2024-224=1</code>
</li>
<li class="list-group-item">
SUSE Linux Enterprise High Performance Computing LTSS 15 SP4
<br/>
<code>zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-LTSS-2024-224=1</code>
</li>
<li class="list-group-item">
SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4
<br/>
<code>zypper in -t patch SUSE-SLE-Product-SLED-15-SP4-LTSS-2024-224=1</code>
</li>
<li class="list-group-item">
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2
<br/>
<code>zypper in -t patch SUSE-SLE-Product-SLES-15-SP2-LTSS-2024-224=1</code>
</li>
<li class="list-group-item">
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3
<br/>
<code>zypper in -t patch SUSE-SLE-Product-SLES-15-SP3-LTSS-2024-224=1</code>
</li>
<li class="list-group-item">
SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4
<br/>
<code>zypper in -t patch SUSE-SLE-Product-SLES-15-SP4-LTSS-2024-224=1</code>
</li>
<li class="list-group-item">
SUSE Linux Enterprise Server for SAP Applications 15 SP2
<br/>
<code>zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP2-2024-224=1</code>
</li>
<li class="list-group-item">
SUSE Linux Enterprise Server for SAP Applications 15 SP3
<br/>
<code>zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP3-2024-224=1</code>
</li>
<li class="list-group-item">
SUSE Linux Enterprise Server for SAP Applications 15 SP4
<br/>
<code>zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP4-2024-224=1</code>
</li>
<li class="list-group-item">
SUSE Enterprise Storage 7.1
<br/>
<code>zypper in -t patch SUSE-Storage-7.1-2024-224=1</code>
</li>
</ul>
<h2>Package List:</h2>
<ul>
<li>
openSUSE Leap 15.5 (noarch)
<ul>
<li>apache-parent-31-150200.3.12.1</li>
<li>apache-sshd-javadoc-2.12.0-150200.5.8.1</li>
<li>apache-sshd-2.12.0-150200.5.8.1</li>
</ul>
</li>
<li>
Development Tools Module 15-SP5 (noarch)
<ul>
<li>apache-sshd-2.12.0-150200.5.8.1</li>
</ul>
</li>
<li>
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (noarch)
<ul>
<li>apache-sshd-2.12.0-150200.5.8.1</li>
</ul>
</li>
<li>
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (noarch)
<ul>
<li>apache-sshd-2.12.0-150200.5.8.1</li>
</ul>
</li>
<li>
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (noarch)
<ul>
<li>apache-sshd-2.12.0-150200.5.8.1</li>
</ul>
</li>
<li>
SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (noarch)
<ul>
<li>apache-sshd-2.12.0-150200.5.8.1</li>
</ul>
</li>
<li>
SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 (noarch)
<ul>
<li>apache-sshd-2.12.0-150200.5.8.1</li>
</ul>
</li>
<li>
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (noarch)
<ul>
<li>apache-sshd-2.12.0-150200.5.8.1</li>
</ul>
</li>
<li>
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (noarch)
<ul>
<li>apache-sshd-2.12.0-150200.5.8.1</li>
</ul>
</li>
<li>
SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (noarch)
<ul>
<li>apache-sshd-2.12.0-150200.5.8.1</li>
</ul>
</li>
<li>
SUSE Linux Enterprise Server for SAP Applications 15 SP2 (noarch)
<ul>
<li>apache-sshd-2.12.0-150200.5.8.1</li>
</ul>
</li>
<li>
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (noarch)
<ul>
<li>apache-sshd-2.12.0-150200.5.8.1</li>
</ul>
</li>
<li>
SUSE Linux Enterprise Server for SAP Applications 15 SP4 (noarch)
<ul>
<li>apache-sshd-2.12.0-150200.5.8.1</li>
</ul>
</li>
<li>
SUSE Enterprise Storage 7.1 (noarch)
<ul>
<li>apache-sshd-2.12.0-150200.5.8.1</li>
</ul>
</li>
</ul>
<h2>References:</h2>
<ul>
<li>
<a href="https://www.suse.com/security/cve/CVE-2022-45047.html">https://www.suse.com/security/cve/CVE-2022-45047.html</a>
</li>
<li>
<a href="https://www.suse.com/security/cve/CVE-2023-48795.html">https://www.suse.com/security/cve/CVE-2023-48795.html</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1205463">https://bugzilla.suse.com/show_bug.cgi?id=1205463</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1218189">https://bugzilla.suse.com/show_bug.cgi?id=1218189</a>
</li>
</ul>
</div>