Hello,
I don’t know if manjaro has a dedicated security team, but I noticed that Arch updated to the non-vulnerable version on the 19th and Manjaro on the 20th in unstable and testing, but not in stable.
I understand the reasons for the cycles between the 3 branches, but hence my query, since that particular update is available and could be done.
$ mbn info openssh -q
Branch : archlinux
Name : openssh
Version : 9.3p2-1
Repository : core
Build Date : Wed 19 Jul 2023 20:43:36
Packager : Levente Polyak <anthraxx@archlinux.org>
Branch : unstable
Name : openssh
Version : 9.3p2-1
Repository : core
Build Date : Wed 19 Jul 2023 20:43:36
Packager : Levente Polyak <anthraxx@archlinux.org>
Branch : testing
Name : openssh
Version : 9.3p2-1
Repository : core
Build Date : Wed 19 Jul 2023 20:43:36
Packager : Levente Polyak <anthraxx@archlinux.org>
Branch : stable
Name : openssh
Version : 9.3p1-2
Repository : core
Build Date : Tue 30 May 2023 19:08:19
Packager : Pierre Schmitz <pierre@archlinux.org>
Note that certain conditions need to exist - especially the second condition mentioned - for an attack to be succesful.
ssh-agent(1) in OpenSSH between and 5.5 and 9.3p1 (inclusive) remote code execution relating to PKCS#11 providers
The PKCS#11 support ssh-agent(1) could be abused to achieve remote code execution via a forwarded agent socket if the following conditions are met:
- Exploitation requires the presence of specific libraries on the victim system.
- Remote exploitation requires that the agent was forwarded to an attacker-controlled system.
This may suggest that gamers may fall prey to attacker if the attacker controls a popular game serving portal or similar which requires a ssh connection.
Likewise running illegally obtained cracked games could open the system for attack.
openssh 9.3p2-0.1 is pushed to the stable branch.
This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.