1. Home
  2. Security Advisories
  3. SUSE
  4. SUSE-SU-2024:0224-1

[SUSE-SU-2024:0224-1] Security update for apache-parent, apache-sshd

Severity Important
Affected Packages 7
CVEs 2
Info Packages References Vulnerabilities

Security update for apache-parent, apache-sshd

This update for apache-parent, apache-sshd fixes the following issues:

apache-parent was updated from version 28 to 31:

  • Version 31:
    • New Features:
    • Added maven-checkstyle-plugin to pluginManagement
    • Improvements:
    • Set minimalMavenBuildVersion to 3.6.3 - the minimum used by plugins
    • Using an SPDX identifier as the license name is recommended by Maven
    • Use properties to define the versions of plugins
    • Bugs fixed:
    • Updated documentation for previous changes

apache-sshd was updated from version 2.7.0 to 2.12.0:

  • Security issues fixed:

    • CVE-2023-48795: Implemented OpenSSH 'strict key exchange' protocol in apache-sshd version 2.12.0 (bsc#1218189)
    • CVE-2022-45047: Java unsafe deserialization vulnerability fixed in apache-sshd version 2.9.2 (bsc#1205463)

  • Other changes in version 2.12.0:

    • Bugs fixed:
    • SCP client fails silently when error signalled due to missing file or lacking permissions
    • Ignore unknown key types from agent or in OpenSSH host keys extension
    • New Features:
    • Support GIT protocol-v2

  • Other changes in version 2.11.0:

    • Bugs fixed:
    • Added configurable timeout(s) to DefaultSftpClient
    • Compare file keys in ModifiableFileWatcher.
    • Fixed channel pool in SftpFileSystem.
    • Use correct default OpenOptions in SftpFileSystemProvider.newFileChannel().
    • Use correct lock modes for SFTP FileChannel.lock().
    • ScpClient: support issuing commands to a server that uses a non-UTF-8 locale.
    • SftpInputStreamAsync: fix reporting EOF on zero-length reads.
    • Work-around a bug in WS_FTP <= 12.9 SFTP clients.
    • (Regression in 2.10.0) SFTP performance fix: override FilterOutputStream.write(byte[], int, int).
    • Fixed a race condition to ensure SSH_MSG_CHANNEL_EOF is always sent before SSH_MSG_CHANNEL_CLOSE.
    • Fixed error handling while flushing queued packets at end of KEX.
    • Fixed wrong log level on closing an Nio2Session.
    • Fixed detection of Android O/S from system properties.
    • Consider all applicable host keys from the known_hosts files.
    • SftpFileSystem: do not close user session.
    • ChannelAsyncOutputStream: remove write future when done.
    • SSHD-1332 (Regression in 2.10.0) Resolve ~ in IdentityFile file names in HostConfigEntry.
    • New Features:
    • Use KeepAliveHandler global request instance in client as well
    • Publish snapshot maven artifacts to the Apache Snapshots maven repository.
    • Bundle sshd-contrib has support classes for the HAProxy protocol V2.

  • Other changes in version 2.10.0:

    • Bugs fixed:
    • Connection attempt not canceled when a connection timeout occurs
    • Possible OOM in ChannelPipedInputStream
    • SftpRemotePathChannel.transferFrom(...) ignores position argument
    • Rooted file system can leak informations
    • Failed to establish an SSH connection because the server identifier exceeds the int range
    • Improvements:
    • Password in clear in SSHD server's logs

  • Other changes in version 2.9.2:

    • Bugs fixed:
    • SFTP worker threads got stuck while processing PUT methods against one specific SFTP server
    • Use the maximum packet size of the communication partner
    • ExplicitPortForwardingTracker does not unbind auto-allocated one
    • Default SshClient FD leak because Selector not closed
    • Reading again from exhausted ChannelExec#getInvertedOut() throws IOException instead of returning -1
    • Keeping error streams and input streams separate after ChannelExec#setRedirectErrorStream(true) is called
    • Nio2Session.shutdownOutput() should wait for writes in progress
    • Test:
    • Research intermittent failure in unit tests using various I/O service factories

  • Other changes in version 2.9.1:

    • Bugs fixed:
    • ClientSession.auth().verify() is terminated with timeout
    • 2.9.0 release broken on Java 8
    • Infinite loop in org.apache.sshd.sftp.client.impl.SftpInputStreamAsync#doRead
    • Deadlock during session exit
    • Race condition is logged in ChannelAsyncOutputStream

  • Other changes in version 2.9.0:

    • Bugs fixed:
    • Deadlock on disconnection at the end of key-exchange
    • Remote port forwarding mode does not handle EOF properly
    • Public key authentication: wrong signature algorithm used (ed25519 key with ssh-rsa signature)
    • Client fails window adjust above Integer.MAX_VALUE
    • class loader fails to load org.apache.sshd.common.cipher.BaseGCMCipher
    • Shell is not getting closed if the command has already closed the OutputStream it is using.
    • Sometimes async write listener is not called
    • Unhandled SSH_MSG_CHANNEL_WINDOW_ADJUST leeds to SocketTimeoutException
    • different host key algorithm used on rekey than used for the initial connection
    • OpenSSH certificate is not properly encoded when critical options are included
    • TCP/IP remote port forwarding with wildcard IP addresses doesn't work with OpenSSH
    • UserAuthPublicKey: uses ssh-rsa signatures for RSA keys from an agent
    • New Features:
    • Added support for Argon2 encrypted PUTTY key files
    • Added support for merged inverted output and error streams of remote process
    • Improvements:
    • Added support for 'limits@openssh.com' SFTP extension
    • Support host-based pubkey authentication in the client
    • Send environment variable and open subsystem at the same time for SSH session

  • Other changes in version 2.8.0:

    • Bugs fixed:
    • Fixed wrong server key algorithm choice
    • Expiration of OpenSshCertificates needs to compare timestamps as unsigned long
    • SFTP Get downloads empty file from servers which supports EOF indication after data
    • skip() doesn't work properly in SftpInputStreamAsync
    • OpenMode and CopyMode is not honored as expected in version > 4 of SFTP api
    • SftpTransferTest sometimes hangs (failure during rekeying)
    • Race condition in KEX
    • Fix the ciphers supported documentation
    • Update tarLongFileMode to use POSIX
    • WinsCP transfer failure to Apache SSHD Server
    • Pubkey auth: keys from ssh-agent are used even if HostConfigEntry.isIdentitiesOnly() is true
    • Support RSA SHA2 signatures via SSH agent
    • NOTICE: wrong copyright year range
    • Wrong creationTime in writeAttrs for SFTP
    • sshd-netty logs all traffic on INFO level
    • New Features:
    • Add support for chacha20-poly1305@openssh.com
    • Parsing of ~/.ssh/config Host patterns fails with extra whitespace
    • Support generating OpenSSH client certificates
    • Improvements:
    • Add support for curve25519-sha256@libssh.org key exchange
    • OpenSSH certificates: check certificate type
    • OpenSSHCertificatesTest: certificates expire in 2030
    • Display IdleTimeOut in more user-friendly format
    • sendChunkIfRemoteWindowIsSmallerThanPacketSize flag in ChannelAsyncOutputStream constructor configurable from outside using variable/config file
    • Intercepting the server exception message from server in SSHD client
    • Implement RFC 8332 server-sig-algs on the server
    • Slow performance listing huge number of files on Apache SSHD server
    • SFTP: too many LSTAT calls
    • Support key constraints when adding a key to an SSH agent
    • Add SFTP server side file custom attributes hook
Package Affected Version
pkg:rpm/suse/apache-sshd?arch=noarch&distro=sles-15&sp=4 < 2.12.0-150200.5.8.1
pkg:rpm/suse/apache-sshd?arch=noarch&distro=sles-15&sp=3 < 2.12.0-150200.5.8.1
pkg:rpm/suse/apache-sshd?arch=noarch&distro=sles-15&sp=2 < 2.12.0-150200.5.8.1
pkg:rpm/suse/apache-sshd?arch=noarch&distro=sled-15&sp=4 < 2.12.0-150200.5.8.1
pkg:rpm/suse/apache-sshd?arch=noarch&distro=opensuse-leap-15.5 < 2.12.0-150200.5.8.1
pkg:rpm/suse/apache-sshd-javadoc?arch=noarch&distro=opensuse-leap-15.5 < 2.12.0-150200.5.8.1
pkg:rpm/suse/apache-parent?arch=noarch&distro=opensuse-leap-15.5 < 31-150200.3.12.1
ID
SUSE-SU-2024:0224-1
Severity
important
URL
https://www.suse.com/support/update/announcement/2024/suse-su-20240224-1/
Published
2024-01-25T08:27:16
(7 months ago)
Modified
2024-01-25T08:27:16
(7 months ago)
Rights
Copyright 2024 SUSE LLC. All rights reserved.
Other Advisories
Type Package URL Namespace Name / Product Version Distribution / Platform Arch Patch / Fix
Affected pkg:rpm/suse/apache-sshd?arch=noarch&distro=sles-15&sp=4 suse apache-sshd < 2.12.0-150200.5.8.1 sles-15 noarch
Affected pkg:rpm/suse/apache-sshd?arch=noarch&distro=sles-15&sp=3 suse apache-sshd < 2.12.0-150200.5.8.1 sles-15 noarch
Affected pkg:rpm/suse/apache-sshd?arch=noarch&distro=sles-15&sp=2 suse apache-sshd < 2.12.0-150200.5.8.1 sles-15 noarch
Affected pkg:rpm/suse/apache-sshd?arch=noarch&distro=sled-15&sp=4 suse apache-sshd < 2.12.0-150200.5.8.1 sled-15 noarch
Affected pkg:rpm/suse/apache-sshd?arch=noarch&distro=opensuse-leap-15.5 suse apache-sshd < 2.12.0-150200.5.8.1 opensuse-leap-15.5 noarch
Affected pkg:rpm/suse/apache-sshd-javadoc?arch=noarch&distro=opensuse-leap-15.5 suse apache-sshd-javadoc < 2.12.0-150200.5.8.1 opensuse-leap-15.5 noarch
Affected pkg:rpm/suse/apache-parent?arch=noarch&distro=opensuse-leap-15.5 suse apache-parent < 31-150200.3.12.1 opensuse-leap-15.5 noarch
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories Exploits PoC Pubblication Date Modification Date
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories PoC Pubblication Date Modification Date