From nobody Wed Jun 21 06:22:18 2023
X-Original-To: freebsd-announce@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4QmD1k2htfz4g8h5
	for <freebsd-announce@mlmmj.nyi.freebsd.org>; Wed, 21 Jun 2023 06:22:18 +0000 (UTC)
	(envelope-from security-advisories@freebsd.org)
Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "freefall.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4QmD1k23bmz40DT;
	Wed, 21 Jun 2023 06:22:18 +0000 (UTC)
	(envelope-from security-advisories@freebsd.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1687328538; h=from:from:reply-to:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc; bh=A723qH3+glAhJ3l/s6GBr3gUY6CAwCcPwqIZfLpe6zM=;
	b=q5uYCdAgfBV8WBrYPUwFrZoqrHaXq6Zuz3ZKMjRcUwJFbV2UhlRufZ8t+uAg93SmUn/XQA
	UgdXb1j0taJdDont5J8END3mICO6k6Yq8XGnZD2AE0h9Ol2390sCPe4uufRB92SU4y4St9
	IhZ08m+PyFfjjLl91xTUVvn/g1SKt1jjC9LE/vRFgUxpq+3DVu2LhAdJ3ZcTNviIeiJOSB
	LblDqpKBL3vPGbBtyRaPs6qvmSN0EUI3UM9TC32cYunucWDMvXrIUD6YoM/7OG7SmtBBxo
	LoE4on5U9NQl/2c8rx++iSeZmJHxz/j79MQDeZyYK9XVeUslLml8RJ2LOzgcPA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1687328538; h=from:from:reply-to:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc;
	bh=A723qH3+glAhJ3l/s6GBr3gUY6CAwCcPwqIZfLpe6zM=;
	b=pvFo/8BR3PBsD4q7S8CVN2HH5SVsss5huKtRQ5VeRCB4sxx0/Ko8dEI9aJKLTpnzA1PT+9
	SaTWIZdtwt7qRWOR/nm0q53Nw7wOuLY09ryiG98EfD+Xc8PGtOJX/WK+O5gUVRXZ+xQr21
	SyVcvqdaTqvC0p43BLo5dMBDM0L3UBqKaBEKDpBbsvFnCVnbt2s+0dXYttYQnlnSRCnFvf
	OiiVAVo1xEyDfk5qoQml/v7jPb/vZWoyL/IegzzBmpqvtwnP1yoY3rzoWK1phSby2heFlH
	nhE0MGjlcpcjkiUHjwvi/H0IEzelUAlwqOT3ySj4FMDPApo95IpI7gVn4e6Sjw==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1687328538; a=rsa-sha256; cv=none;
	b=m8/hkCmCwtIwIGkwYMBNWgw9U1WWR3gur4blZdV8DDaNLEAmWqrOH74YOAZ9lJeAFYlkum
	CJbWYbxie+4Bmahr7aQVTasTZUVEEp5cSpR3xAsagexGYsPaKdVu6LERXxw9DP5CHHKkAx
	EAYLOGAz8qN5t9aLbDDzOFibKTzkJ/4Vxytg24hwGcEQOo8mDIjbSnf1yWWFbT8EZFlsPP
	B0dz4Ub5jZdPzzH0RtgTkrwp6YN2X2/TQfrceF6mZPgkr1W0PctvSItKz3Ni02OAf6D7yb
	w7pfl4b7K39Q5w8F6D98QoSWhP73Cq5Kzb8kE3vaadm+SZ6OPbOvz4hxAVxsBA==
Received: by freefall.freebsd.org (Postfix, from userid 945)
	id 1FE0FECFC; Wed, 21 Jun 2023 06:22:18 +0000 (UTC)
From: FreeBSD Security Advisories <security-advisories@freebsd.org>
To: FreeBSD Security Advisories <security-advisories@freebsd.org>
Subject: FreeBSD Security Advisory FreeBSD-SA-23:05.openssh
Reply-To: freebsd-security@freebsd.org
Precedence: bulk
Message-Id: <20230621062218.1FE0FECFC@freefall.freebsd.org>
Date: Wed, 21 Jun 2023 06:22:18 +0000 (UTC)
X-ThisMailContainsUnwantedMimeParts: N
List-Id: Project Announcements [moderated] <freebsd-announce.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-announce
List-Help: <mailto:announce+help@freebsd.org>
List-Post: <mailto:announce@freebsd.org>
List-Subscribe: <mailto:announce+subscribe@freebsd.org>
List-Unsubscribe: <mailto:announce+unsubscribe@freebsd.org>
Sender: owner-freebsd-announce@freebsd.org
X-BeenThere: freebsd-announce@freebsd.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

=============================================================================
FreeBSD-SA-23:05.openssh                                    Security Advisory
                                                          The FreeBSD Project

Topic:          ssh-add does not honor per-hop destination constraints

Category:       contrib
Module:         openssh
Announced:      2023-06-21
Credits:        Luci Stanescu
Affects:        FreeBSD 12.4
Corrected:      2023-06-05 16:04:15 UTC (stable/12, 12.4-STABLE)
                2023-06-21 05:43:42 UTC (releng/12.4, 12.4-RELEASE-p3)
CVE Name:       CVE-2023-28531

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.

I.   Background

OpenSSH is an implementation of the SSH protocol suite, providing an
encrypted and authenticated transport for a variety of services, including
remote shell access.

II.  Problem Description

When using ssh-add(1) to add smartcard keys to ssh-agent(1) with per-hop
destination constraints, a logic error prevented the constraints from being
sent to the agent resulting in keys being added to the agent without
constraints.

III. Impact

A malicious server could leverage the keys provided by a forwarded agent that
would normally not be allowed due to the logic error.

IV.  Workaround

No workaround is available.

V.   Solution

Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.

Perform one of the following:

1) To update your vulnerable system via a binary patch:

Systems running a RELEASE version of FreeBSD on the amd64, i386, or
(on FreeBSD 13 and later) arm64 platforms can be updated via the
freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install

2) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch https://security.FreeBSD.org/patches/SA-23:05/openssh.patch
# fetch https://security.FreeBSD.org/patches/SA-23:05/openssh.patch.asc
# gpg --verify openssh.patch.asc

b) Apply the patch.  Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.

VI.  Correction details

This issue is corrected by the corresponding Git commit hash or Subversion
revision number in the following stable and release branches:

Branch/path                             Hash                     Revision
- -------------------------------------------------------------------------
stable/12/                                                        r373093
releng/12.4/                                                      r373104
- -------------------------------------------------------------------------

Run the following command to see which files were modified by a particular
revision, replacing NNNNNN with the revision number:

# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base

Or visit the following URL, replacing NNNNNN with the revision number:

<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>

VII. References

<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=271839>

<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28531>

The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-23:05.openssh.asc>
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmSSkl8ACgkQbljekB8A
Gu+p6Q//YJCvfTB82/cs++ok7D/bKGdwq5rvf9CaNMPrvEp7eVvzlTTDtxO6fU1P
eT9IZNSBxQHQEnbDyhN0kiTSp+cumGUl44azMwXrHmatN8SZ0FJ/SwEF/VIkxLq5
suHmWh+E2JYdEKfBahjYiO6WJRL/WnKUGPkoDwcqszMyVEVcWh1Jr7nd8VmAJL54
Q5IADSZYpZHJTgdKM/jwkI0yUdsm3qRdMpfnHrNRHUoo84JIpr69bKAISwRF/w5m
AgSFrV/0fW4EEqN0roXip6fyM3BlpOI8BjBE0V6mlPOkwxqzGvM7GwuEMGbxRWEj
pBv00Kqr0wdDmwge2EFaPLnd1wlB9dvy3+Z4GN2bmdwtM+tW5PXUgZ4iiKaD9/yK
Xf4dvSX8vs0IS4Rbk6e/MdZQHDXSzEFxPYz/a1PK/mMPVVeyyzCrQ8/66qUF5Uht
grItkiiD+20c/7SEoy7Tj/sDfYpohHYcUbFRxtFp4RlMBZtUgpUwSrvipixb/iKd
JkwUHrN5y6ct/oep7FiiGkHmQ3krXn6o5X4JiDf4JjoqbhPQLWMWdmLI+EeHOTcs
EtN2JUHK+uVnMoKIOY12D9EzbMH/haBAmHSldXyk/pkxxz0OrSKytjXuYQMo9ooG
wlwKMhEOMU6Jhb0YX4nR4jnKEtUx73/i08GBAV7tUuu5he0q6/I=
=8fxE
-----END PGP SIGNATURE-----