{"affected":[{"ecosystem_specific":{"binaries":[{"apache-sshd":"2.12.0-150200.5.8.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Module for Development Tools 15 SP5","name":"apache-sshd","purl":"pkg:rpm/suse/apache-sshd&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP5"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"2.12.0-150200.5.8.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"apache-sshd":"2.12.0-150200.5.8.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise High Performance Computing 15 SP2-LTSS","name":"apache-sshd","purl":"pkg:rpm/suse/apache-sshd&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSS"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"2.12.0-150200.5.8.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"apache-sshd":"2.12.0-150200.5.8.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise High Performance Computing 15 SP3-LTSS","name":"apache-sshd","purl":"pkg:rpm/suse/apache-sshd&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-LTSS"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"2.12.0-150200.5.8.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"apache-sshd":"2.12.0-150200.5.8.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise High Performance Computing 15 SP4-ESPOS","name":"apache-sshd","purl":"pkg:rpm/suse/apache-sshd&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-ESPOS"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"2.12.0-150200.5.8.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"apache-sshd":"2.12.0-150200.5.8.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise High Performance Computing 15 SP4-LTSS","name":"apache-sshd","purl":"pkg:rpm/suse/apache-sshd&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-LTSS"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"2.12.0-150200.5.8.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"apache-sshd":"2.12.0-150200.5.8.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Server 15 SP2-LTSS","name":"apache-sshd","purl":"pkg:rpm/suse/apache-sshd&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-LTSS"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"2.12.0-150200.5.8.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"apache-sshd":"2.12.0-150200.5.8.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Server 15 SP3-LTSS","name":"apache-sshd","purl":"pkg:rpm/suse/apache-sshd&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP3-LTSS"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"2.12.0-150200.5.8.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"apache-sshd":"2.12.0-150200.5.8.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Server 15 SP4-LTSS","name":"apache-sshd","purl":"pkg:rpm/suse/apache-sshd&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP4-LTSS"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"2.12.0-150200.5.8.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"apache-sshd":"2.12.0-150200.5.8.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Server for SAP Applications 15 SP2","name":"apache-sshd","purl":"pkg:rpm/suse/apache-sshd&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP2"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"2.12.0-150200.5.8.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"apache-sshd":"2.12.0-150200.5.8.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Server for SAP Applications 15 SP3","name":"apache-sshd","purl":"pkg:rpm/suse/apache-sshd&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP3"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"2.12.0-150200.5.8.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"apache-sshd":"2.12.0-150200.5.8.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Server for SAP Applications 15 SP4","name":"apache-sshd","purl":"pkg:rpm/suse/apache-sshd&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP4"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"2.12.0-150200.5.8.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"apache-sshd":"2.12.0-150200.5.8.1"}]},"package":{"ecosystem":"SUSE:Enterprise Storage 7.1","name":"apache-sshd","purl":"pkg:rpm/suse/apache-sshd&distro=SUSE%20Enterprise%20Storage%207.1"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"2.12.0-150200.5.8.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"apache-parent":"31-150200.3.12.1","apache-sshd":"2.12.0-150200.5.8.1","apache-sshd-javadoc":"2.12.0-150200.5.8.1"}]},"package":{"ecosystem":"openSUSE:Leap 15.5","name":"apache-parent","purl":"pkg:rpm/opensuse/apache-parent&distro=openSUSE%20Leap%2015.5"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"31-150200.3.12.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"apache-parent":"31-150200.3.12.1","apache-sshd":"2.12.0-150200.5.8.1","apache-sshd-javadoc":"2.12.0-150200.5.8.1"}]},"package":{"ecosystem":"openSUSE:Leap 15.5","name":"apache-sshd","purl":"pkg:rpm/opensuse/apache-sshd&distro=openSUSE%20Leap%2015.5"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"2.12.0-150200.5.8.1"}],"type":"ECOSYSTEM"}]}],"aliases":[],"details":"This update for apache-parent, apache-sshd fixes the following issues:\n\napache-parent was updated from version 28 to 31:\n\n- Version 31:\n  * New Features:\n    + Added maven-checkstyle-plugin to pluginManagement\n  * Improvements:\n    + Set minimalMavenBuildVersion to 3.6.3 - the minimum\n      used by plugins\n    + Using an SPDX identifier as the license name is\n      recommended by Maven\n    + Use properties to define the versions of plugins\n  * Bugs fixed:\n    + Updated documentation for previous changes\n\napache-sshd was updated from version 2.7.0 to 2.12.0:\n\n- Security issues fixed:\n  * CVE-2023-48795: Implemented OpenSSH 'strict key exchange' protocol in apache-sshd version 2.12.0 (bsc#1218189)\n  * CVE-2022-45047: Java unsafe deserialization vulnerability fixed in apache-sshd version 2.9.2 (bsc#1205463)\n\n- Other changes in version 2.12.0:\n  * Bugs fixed:\n    + SCP client fails silently when error signalled due to missing file or lacking permissions\n    + Ignore unknown key types from agent or in OpenSSH host keys extension\n  * New Features:\n    + Support GIT protocol-v2\n- Other changes in version 2.11.0:\n  * Bugs fixed:\n    + Added configurable timeout(s) to DefaultSftpClient\n    + Compare file keys in ModifiableFileWatcher.\n    + Fixed channel pool in SftpFileSystem.\n    + Use correct default OpenOptions in SftpFileSystemProvider.newFileChannel().\n    + Use correct lock modes for SFTP FileChannel.lock().\n    + ScpClient: support issuing commands to a server that uses a non-UTF-8 locale.\n    + SftpInputStreamAsync: fix reporting EOF on zero-length reads.\n    + Work-around a bug in WS_FTP <= 12.9 SFTP clients.\n    + (Regression in 2.10.0) SFTP performance fix: override FilterOutputStream.write(byte[], int, int).\n    + Fixed a race condition to ensure SSH_MSG_CHANNEL_EOF is always sent before SSH_MSG_CHANNEL_CLOSE.\n    + Fixed error handling while flushing queued packets at end of KEX.\n    + Fixed wrong log level on closing an Nio2Session.\n    + Fixed detection of Android O/S from system properties.\n    + Consider all applicable host keys from the known_hosts files.\n    + SftpFileSystem: do not close user session.\n    + ChannelAsyncOutputStream: remove write future when done.\n    + SSHD-1332 (Regression in 2.10.0) Resolve ~ in IdentityFile file names in HostConfigEntry.\n  * New Features:\n    + Use KeepAliveHandler global request instance in client as well\n    + Publish snapshot maven artifacts to the Apache Snapshots maven repository.\n    + Bundle sshd-contrib has support classes for the HAProxy protocol V2.\n-  Other changes in version 2.10.0:\n  * Bugs fixed:\n    + Connection attempt not canceled when a connection timeout occurs\n    + Possible OOM in ChannelPipedInputStream\n    + SftpRemotePathChannel.transferFrom(...) ignores position argument\n    + Rooted file system can leak informations\n    + Failed to establish an SSH connection because the server identifier exceeds the int range\n  * Improvements:\n    + Password in clear in SSHD server's logs\n- Other changes in version 2.9.2:\n  * Bugs fixed:\n    + SFTP worker threads got stuck while processing PUT methods against one specific SFTP server\n    + Use the maximum packet size of the communication partner\n    + ExplicitPortForwardingTracker does not unbind auto-allocated one\n    + Default SshClient FD leak because Selector not closed\n    + Reading again from exhausted ChannelExec#getInvertedOut() throws IOException instead of returning -1\n    + Keeping error streams and input streams separate after ChannelExec#setRedirectErrorStream(true) is called\n    + Nio2Session.shutdownOutput() should wait for writes in progress\n  * Test:\n    + Research intermittent failure in unit tests using various I/O\n      service factories\n- Other changes in version 2.9.1:\n  * Bugs fixed:\n    + ClientSession.auth().verify() is terminated with timeout\n    + 2.9.0 release broken on Java 8\n    + Infinite loop in org.apache.sshd.sftp.client.impl.SftpInputStreamAsync#doRead\n    + Deadlock during session exit\n    + Race condition is logged in ChannelAsyncOutputStream\n- Other changes in version 2.9.0:\n  * Bugs fixed:\n    + Deadlock on disconnection at the end of key-exchange\n    + Remote port forwarding mode does not handle EOF properly\n    + Public key authentication: wrong signature algorithm used (ed25519 key with ssh-rsa signature)\n    + Client fails window adjust above Integer.MAX_VALUE\n    + class loader fails to load org.apache.sshd.common.cipher.BaseGCMCipher\n    + Shell is not getting closed if the command has already closed the OutputStream it is using.\n    + Sometimes async write listener is not called\n    + Unhandled SSH_MSG_CHANNEL_WINDOW_ADJUST leeds to SocketTimeoutException\n    + different host key algorithm used on rekey than used for the initial connection\n    + OpenSSH certificate is not properly encoded when critical options are included\n    + TCP/IP remote port forwarding with wildcard IP addresses doesn't work with OpenSSH\n    + UserAuthPublicKey: uses ssh-rsa signatures for RSA keys from an agent\n  * New Features:\n    + Added support for Argon2 encrypted PUTTY key files\n    + Added support for merged inverted output and error streams of remote process\n  * Improvements:\n    + Added support for 'limits@openssh.com' SFTP extension\n    + Support host-based pubkey authentication in the client\n    + Send environment variable and open subsystem at the same time for SSH session\n- Other changes in version 2.8.0:\n  * Bugs fixed:\n    + Fixed wrong server key algorithm choice\n    + Expiration of OpenSshCertificates needs to compare timestamps as unsigned long\n    + SFTP Get downloads empty file from servers which supports EOF indication after data\n    + skip() doesn't work properly in SftpInputStreamAsync\n    + OpenMode and CopyMode is not honored as expected in version > 4 of SFTP api\n    + SftpTransferTest sometimes hangs (failure during rekeying)\n    + Race condition in KEX\n    + Fix the ciphers supported documentation\n    + Update tarLongFileMode to use POSIX\n    + WinsCP transfer failure to Apache SSHD Server\n    + Pubkey auth: keys from ssh-agent are used even if HostConfigEntry.isIdentitiesOnly() is true\n    + Support RSA SHA2 signatures via SSH agent\n    + NOTICE: wrong copyright year range\n    + Wrong creationTime in writeAttrs for SFTP\n    + sshd-netty logs all traffic on INFO level\n  * New Features:\n    + Add support for chacha20-poly1305@openssh.com\n    + Parsing of ~/.ssh/config Host patterns fails with extra\n      whitespace\n    + Support generating OpenSSH client certificates\n  * Improvements:\n    + Add support for curve25519-sha256@libssh.org key exchange\n    + OpenSSH certificates: check certificate type\n    + OpenSSHCertificatesTest: certificates expire in 2030\n    + Display IdleTimeOut in more user-friendly format\n    + sendChunkIfRemoteWindowIsSmallerThanPacketSize flag in ChannelAsyncOutputStream constructor configurable from\n      outside using variable/config file\n    + Intercepting the server exception message from server in SSHD client\n    + Implement RFC 8332 server-sig-algs on the server\n    + Slow performance listing huge number of files on Apache SSHD server\n    + SFTP: too many LSTAT calls\n    + Support key constraints when adding a key to an SSH agent\n    + Add SFTP server side file custom attributes hook\n\n","id":"SUSE-SU-2024:0224-1","modified":"2024-01-25T08:27:16Z","published":"2024-01-25T08:27:16Z","references":[{"type":"ADVISORY","url":"https://www.suse.com/support/update/announcement/2024/suse-su-20240224-1/"},{"type":"REPORT","url":"https://bugzilla.suse.com/1205463"},{"type":"REPORT","url":"https://bugzilla.suse.com/1218189"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2022-45047"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2023-48795"}],"related":["CVE-2022-45047","CVE-2023-48795"],"summary":"Security update for apache-parent, apache-sshd","upstream":["CVE-2022-45047","CVE-2023-48795"]}