SUSE-SU-2024:0224-1

Source
https://www.suse.com/support/update/announcement/2024/suse-su-20240224-1/
Import Source
https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2024:0224-1.json
JSON Data
https://api.osv.dev/v1/vulns/SUSE-SU-2024:0224-1
Related
Published
2024-01-25T08:27:16Z
Modified
2024-01-25T08:27:16Z
Summary
Security update for apache-parent, apache-sshd
Details

This update for apache-parent, apache-sshd fixes the following issues:

apache-parent was updated from version 28 to 31:

  • Version 31:
    • New Features:
      • Added maven-checkstyle-plugin to pluginManagement
    • Improvements:
      • Set minimalMavenBuildVersion to 3.6.3 - the minimum used by plugins
      • Using an SPDX identifier as the license name is recommended by Maven
      • Use properties to define the versions of plugins
    • Bugs fixed:
      • Updated documentation for previous changes

apache-sshd was updated from version 2.7.0 to 2.12.0:

  • Security issues fixed:

    • CVE-2023-48795: Implemented OpenSSH 'strict key exchange' protocol in apache-sshd version 2.12.0 (bsc#1218189)
    • CVE-2022-45047: Java unsafe deserialization vulnerability fixed in apache-sshd version 2.9.2 (bsc#1205463)
  • Other changes in version 2.12.0:

    • Bugs fixed:
      • SCP client fails silently when error signalled due to missing file or lacking permissions
      • Ignore unknown key types from agent or in OpenSSH host keys extension
    • New Features:
      • Support GIT protocol-v2
  • Other changes in version 2.11.0:
    • Bugs fixed:
      • Added configurable timeout(s) to DefaultSftpClient
      • Compare file keys in ModifiableFileWatcher.
      • Fixed channel pool in SftpFileSystem.
      • Use correct default OpenOptions in SftpFileSystemProvider.newFileChannel().
      • Use correct lock modes for SFTP FileChannel.lock().
      • ScpClient: support issuing commands to a server that uses a non-UTF-8 locale.
      • SftpInputStreamAsync: fix reporting EOF on zero-length reads.
      • Work-around a bug in WSFTP <= 12.9 SFTP clients.
      • (Regression in 2.10.0) SFTP performance fix: override FilterOutputStream.write(byte[], int, int).
      • Fixed a race condition to ensure SSHMSGCHANNELEOF is always sent before SSHMSGCHANNELCLOSE.
      • Fixed error handling while flushing queued packets at end of KEX.
      • Fixed wrong log level on closing an Nio2Session.
      • Fixed detection of Android O/S from system properties.
      • Consider all applicable host keys from the knownhosts files.
      • SftpFileSystem: do not close user session.
      • ChannelAsyncOutputStream: remove write future when done.
      • SSHD-1332 (Regression in 2.10.0) Resolve ~ in IdentityFile file names in HostConfigEntry.
    • New Features:
      • Use KeepAliveHandler global request instance in client as well
      • Publish snapshot maven artifacts to the Apache Snapshots maven repository.
      • Bundle sshd-contrib has support classes for the HAProxy protocol V2.
  • Other changes in version 2.10.0:
    • Bugs fixed:
      • Connection attempt not canceled when a connection timeout occurs
      • Possible OOM in ChannelPipedInputStream
      • SftpRemotePathChannel.transferFrom(...) ignores position argument
      • Rooted file system can leak informations
      • Failed to establish an SSH connection because the server identifier exceeds the int range
    • Improvements:
      • Password in clear in SSHD server's logs
  • Other changes in version 2.9.2:
    • Bugs fixed:
      • SFTP worker threads got stuck while processing PUT methods against one specific SFTP server
      • Use the maximum packet size of the communication partner
      • ExplicitPortForwardingTracker does not unbind auto-allocated one
      • Default SshClient FD leak because Selector not closed
      • Reading again from exhausted ChannelExec#getInvertedOut() throws IOException instead of returning -1
      • Keeping error streams and input streams separate after ChannelExec#setRedirectErrorStream(true) is called
      • Nio2Session.shutdownOutput() should wait for writes in progress
    • Test:
      • Research intermittent failure in unit tests using various I/O service factories
  • Other changes in version 2.9.1:
    • Bugs fixed:
      • ClientSession.auth().verify() is terminated with timeout
      • 2.9.0 release broken on Java 8
      • Infinite loop in org.apache.sshd.sftp.client.impl.SftpInputStreamAsync#doRead
      • Deadlock during session exit
      • Race condition is logged in ChannelAsyncOutputStream
  • Other changes in version 2.9.0:
    • Bugs fixed:
      • Deadlock on disconnection at the end of key-exchange
      • Remote port forwarding mode does not handle EOF properly
      • Public key authentication: wrong signature algorithm used (ed25519 key with ssh-rsa signature)
      • Client fails window adjust above Integer.MAX_VALUE
      • class loader fails to load org.apache.sshd.common.cipher.BaseGCMCipher
      • Shell is not getting closed if the command has already closed the OutputStream it is using.
      • Sometimes async write listener is not called
      • Unhandled SSHMSGCHANNELWINDOWADJUST leeds to SocketTimeoutException
      • different host key algorithm used on rekey than used for the initial connection
      • OpenSSH certificate is not properly encoded when critical options are included
      • TCP/IP remote port forwarding with wildcard IP addresses doesn't work with OpenSSH
      • UserAuthPublicKey: uses ssh-rsa signatures for RSA keys from an agent
    • New Features:
      • Added support for Argon2 encrypted PUTTY key files
      • Added support for merged inverted output and error streams of remote process
    • Improvements:
      • Added support for 'limits@openssh.com' SFTP extension
      • Support host-based pubkey authentication in the client
      • Send environment variable and open subsystem at the same time for SSH session
  • Other changes in version 2.8.0:
    • Bugs fixed:
      • Fixed wrong server key algorithm choice
      • Expiration of OpenSshCertificates needs to compare timestamps as unsigned long
      • SFTP Get downloads empty file from servers which supports EOF indication after data
      • skip() doesn't work properly in SftpInputStreamAsync
      • OpenMode and CopyMode is not honored as expected in version > 4 of SFTP api
      • SftpTransferTest sometimes hangs (failure during rekeying)
      • Race condition in KEX
      • Fix the ciphers supported documentation
      • Update tarLongFileMode to use POSIX
      • WinsCP transfer failure to Apache SSHD Server
      • Pubkey auth: keys from ssh-agent are used even if HostConfigEntry.isIdentitiesOnly() is true
      • Support RSA SHA2 signatures via SSH agent
      • NOTICE: wrong copyright year range
      • Wrong creationTime in writeAttrs for SFTP
      • sshd-netty logs all traffic on INFO level
    • New Features:
      • Add support for chacha20-poly1305@openssh.com
      • Parsing of ~/.ssh/config Host patterns fails with extra whitespace
      • Support generating OpenSSH client certificates
    • Improvements:
      • Add support for curve25519-sha256@libssh.org key exchange
      • OpenSSH certificates: check certificate type
      • OpenSSHCertificatesTest: certificates expire in 2030
      • Display IdleTimeOut in more user-friendly format
      • sendChunkIfRemoteWindowIsSmallerThanPacketSize flag in ChannelAsyncOutputStream constructor configurable from outside using variable/config file
      • Intercepting the server exception message from server in SSHD client
      • Implement RFC 8332 server-sig-algs on the server
      • Slow performance listing huge number of files on Apache SSHD server
      • SFTP: too many LSTAT calls
      • Support key constraints when adding a key to an SSH agent
      • Add SFTP server side file custom attributes hook
References

Affected packages

SUSE:Linux Enterprise Module for Development Tools 15 SP5 / apache-sshd

Package

Name
apache-sshd
Purl
purl:rpm/suse/apache-sshd&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP5

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.12.0-150200.5.8.1

Ecosystem specific

{
    "binaries": [
        {
            "apache-sshd": "2.12.0-150200.5.8.1"
        }
    ]
}

SUSE:Linux Enterprise High Performance Computing 15 SP2-LTSS / apache-sshd

Package

Name
apache-sshd
Purl
purl:rpm/suse/apache-sshd&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSS

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.12.0-150200.5.8.1

Ecosystem specific

{
    "binaries": [
        {
            "apache-sshd": "2.12.0-150200.5.8.1"
        }
    ]
}

SUSE:Linux Enterprise High Performance Computing 15 SP3-LTSS / apache-sshd

Package

Name
apache-sshd
Purl
purl:rpm/suse/apache-sshd&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-LTSS

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.12.0-150200.5.8.1

Ecosystem specific

{
    "binaries": [
        {
            "apache-sshd": "2.12.0-150200.5.8.1"
        }
    ]
}

SUSE:Linux Enterprise High Performance Computing 15 SP4-ESPOS / apache-sshd

Package

Name
apache-sshd
Purl
purl:rpm/suse/apache-sshd&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-ESPOS

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.12.0-150200.5.8.1

Ecosystem specific

{
    "binaries": [
        {
            "apache-sshd": "2.12.0-150200.5.8.1"
        }
    ]
}

SUSE:Linux Enterprise High Performance Computing 15 SP4-LTSS / apache-sshd

Package

Name
apache-sshd
Purl
purl:rpm/suse/apache-sshd&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-LTSS

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.12.0-150200.5.8.1

Ecosystem specific

{
    "binaries": [
        {
            "apache-sshd": "2.12.0-150200.5.8.1"
        }
    ]
}

SUSE:Linux Enterprise Server 15 SP2-LTSS / apache-sshd

Package

Name
apache-sshd
Purl
purl:rpm/suse/apache-sshd&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-LTSS

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.12.0-150200.5.8.1

Ecosystem specific

{
    "binaries": [
        {
            "apache-sshd": "2.12.0-150200.5.8.1"
        }
    ]
}

SUSE:Linux Enterprise Server 15 SP3-LTSS / apache-sshd

Package

Name
apache-sshd
Purl
purl:rpm/suse/apache-sshd&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP3-LTSS

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.12.0-150200.5.8.1

Ecosystem specific

{
    "binaries": [
        {
            "apache-sshd": "2.12.0-150200.5.8.1"
        }
    ]
}

SUSE:Linux Enterprise Server 15 SP4-LTSS / apache-sshd

Package

Name
apache-sshd
Purl
purl:rpm/suse/apache-sshd&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP4-LTSS

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.12.0-150200.5.8.1

Ecosystem specific

{
    "binaries": [
        {
            "apache-sshd": "2.12.0-150200.5.8.1"
        }
    ]
}

SUSE:Linux Enterprise Server for SAP Applications 15 SP2 / apache-sshd

Package

Name
apache-sshd
Purl
purl:rpm/suse/apache-sshd&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP2

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.12.0-150200.5.8.1

Ecosystem specific

{
    "binaries": [
        {
            "apache-sshd": "2.12.0-150200.5.8.1"
        }
    ]
}

SUSE:Linux Enterprise Server for SAP Applications 15 SP3 / apache-sshd

Package

Name
apache-sshd
Purl
purl:rpm/suse/apache-sshd&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP3

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.12.0-150200.5.8.1

Ecosystem specific

{
    "binaries": [
        {
            "apache-sshd": "2.12.0-150200.5.8.1"
        }
    ]
}

SUSE:Linux Enterprise Server for SAP Applications 15 SP4 / apache-sshd

Package

Name
apache-sshd
Purl
purl:rpm/suse/apache-sshd&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP4

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.12.0-150200.5.8.1

Ecosystem specific

{
    "binaries": [
        {
            "apache-sshd": "2.12.0-150200.5.8.1"
        }
    ]
}

SUSE:Enterprise Storage 7.1 / apache-sshd

Package

Name
apache-sshd
Purl
purl:rpm/suse/apache-sshd&distro=SUSE%20Enterprise%20Storage%207.1

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.12.0-150200.5.8.1

Ecosystem specific

{
    "binaries": [
        {
            "apache-sshd": "2.12.0-150200.5.8.1"
        }
    ]
}

openSUSE:Leap 15.5 / apache-parent

Package

Name
apache-parent
Purl
purl:rpm/suse/apache-parent&distro=openSUSE%20Leap%2015.5

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
31-150200.3.12.1

Ecosystem specific

{
    "binaries": [
        {
            "apache-sshd-javadoc": "2.12.0-150200.5.8.1",
            "apache-sshd": "2.12.0-150200.5.8.1",
            "apache-parent": "31-150200.3.12.1"
        }
    ]
}

openSUSE:Leap 15.5 / apache-sshd

Package

Name
apache-sshd
Purl
purl:rpm/suse/apache-sshd&distro=openSUSE%20Leap%2015.5

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.12.0-150200.5.8.1

Ecosystem specific

{
    "binaries": [
        {
            "apache-sshd-javadoc": "2.12.0-150200.5.8.1",
            "apache-sshd": "2.12.0-150200.5.8.1",
            "apache-parent": "31-150200.3.12.1"
        }
    ]
}