update: openssh #1133
Labels
advisory
security advisory
channel/alpha
Issue concerns the Alpha channel.
channel/beta
Issue concerns the Beta channel.
cvss/CRITICAL
>= 9 assessed CVSS
security
security concerns
Name: openssh
CVEs: CVE-2023-38408
CVSSs: 9.8
Action Needed: update to >= 9.3_p2
Summary: The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009.
See also https://seclists.org/oss-sec/2023/q3/49.
refmap.gentoo: https://bugs.gentoo.org/910553
The text was updated successfully, but these errors were encountered: