The release of OpenSSH 9.3, an open implementation of the client and server for working over the SSH 2.0 and SFTP protocols, has been published. The new version fixes security issues:
- A logical error has been identified in the ssh-add utility, due to which, when adding smartcard keys to ssh-agent, the restrictions specified using the "ssh-add -h" option were not passed to the agent. As a result, a key was added to the agent, for which restrictions were not applied that allowed connections only from certain hosts.
- A vulnerability has been identified in the ssh utility that could cause data to be read from the stack area outside the allocated buffer when processing specially crafted DNS responses if the VerifyHostKeyDNS setting is included in the configuration file. The problem exists in the built-in implementation of the getrrsetbyname() function, which is used in portable versions of OpenSSH built without using the external ldns library (--with-ldns) and on systems with standard libraries that do not support the getrrsetbyname() call. The possibility of exploitation of the vulnerability, other than to initiate a denial of service for the ssh client, is assessed as unlikely.
Additionally, a vulnerability can be noted in the libskey library included with OpenBSD, which is used in OpenSSH. The problem has been present since 1997 and can lead to a buffer overflow on the stack when processing specially crafted hostnames. It is noted that despite the fact that the manifestation of the vulnerability can be initiated remotely via OpenSSH, in practice the vulnerability is useless, since for its manifestation the name of the attacked host (/etc/hostname) must contain more than 126 characters, and the buffer can be overflowed only with characters with null code ('\0').
Among the non-security changes:
- Added support for "-Ohashalg=sha1|sha256" parameter to ssh-keygen and ssh-keyscan to select algorithm for displaying SSHFP snapshots.
- Added "-G" option to sshd to parse and display the active configuration without attempting to load private keys and without performing additional checks, allowing configuration to be checked before key generation and to be run by unprivileged users.
- sshd has enhanced isolation on the Linux platform using the seccomp and seccomp-bpf system call filtering mechanisms. Added flags to mmap, madvise and futex to the list of allowed system calls.
Source: opennet.ru