Comment 1 for bug 2025664

This bug was fixed in the package openssh - 1:9.3p1-1ubuntu1

---------------
openssh (1:9.3p1-1ubuntu1) mantic; urgency=medium

  * Merge with Debian unstable (LP: #2025664). Remaining changes:
    - debian/rules: modify dh_installsystemd invocations for
      socket-activated sshd
    - debian/openssh-server.postinst: handle migration of sshd_config options
      to systemd socket options on upgrade.
    - debian/README.Debian: document systemd socket activation.
    - debian/patches/socket-activation-documentation.patch: Document in
      sshd_config(5) that ListenAddress and Port no longer work.
    - debian/openssh-server.templates: include debconf prompt explaining
      when migration cannot happen due to multiple ListenAddress values
    - debian/.gitignore: drop file
    - debian/openssh-server.postrm: remove systemd drop-ins for
      socket-activated sshd on purge
    - debian/openssh-server.ucf-md5sum: update for Ubuntu delta
    - debian/openssh-server.tmpfile,debian/systemd/ssh.service: Move
      /run/sshd creation out of the systemd unit to a tmpfile config so
      that sshd can be run manually if necessary without having to create
      this directory by hand.
    - debian/patches/systemd-socket-activation.patch: Fix sshd
      re-execution behavior when socket activation is used
    - debian/tests/systemd-socket-activation: Add autopkgtest for systemd socket
      activation functionality.
    - d/p/test-set-UsePAM-no-on-some-tests.patch: set UsePAM=no for some tests
    - Ensure smooth upgrade path from versions affected by LP: #2020474:
      + debian/openssh-server.postint: do not try to restart systemd units,
        and instead indicate that a reboot is required
      + debian/tests/systemd-socket-activation: Reboot the testbed before starting the test
      + debian/rules: Do not stop ssh.socket on upgrade

openssh (1:9.3p1-1) unstable; urgency=medium

  * Debconf translations:
    - Romanian (thanks, Remus-Gabriel Chelu; closes: #1033178).
  * Properly fix date of 1:3.0.2p1-2 changelog entry (closes: #1034425).
  * New upstream release (https://www.openssh.com/releasenotes.html#9.3p1):
    - [CVE-2023-28531] ssh-add(1): when adding smartcard keys to
      ssh-agent(1) with the per-hop destination constraints (ssh-add -h ...)
      added in OpenSSH 8.9, a logic error prevented the constraints from
      being communicated to the agent. This resulted in the keys being added
      without constraints. The common cases of non-smartcard keys and keys
      without destination constraints are unaffected. This problem was
      reported by Luci Stanescu (closes: #1033166).
    - [SECURITY] ssh(1): Portable OpenSSH provides an implementation of the
      getrrsetbyname(3) function if the standard library does not provide
      it, for use by the VerifyHostKeyDNS feature. A specifically crafted
      DNS response could cause this function to perform an out-of-bounds
      read of adjacent stack data, but this condition does not appear to be
      exploitable beyond denial-of-service to the ssh(1) client.
    - ssh-keygen(1), ssh-keyscan(1): accept -Ohashalg=sha1|sha256 when
      outputting SSHFP fingerprints to allow algorithm selection.
    - sshd(8): add a `sshd -G` option that parses and prints the effective
      configuration without attempting to load private keys and perform
      other checks. This allows usage of the option before keys have been
      generated and for configuration evaluation and verification by
      unprivileged users.
    - scp(1), sftp(1): fix progressmeter corruption on wide displays.
    - ssh-add(1), ssh-keygen(1): use RSA/SHA256 when testing usability of
      private keys as some systems are starting to disable RSA/SHA1 in
      libcrypto.
    - sftp-server(8): fix a memory leak.
    - ssh(1), sshd(8), ssh-keyscan(1): remove vestigial protocol
      compatibility code and simplify what's left.
    - Fix a number of low-impact Coverity static analysis findings.
    - ssh_config(5), sshd_config(5): mention that some options are not
      first-match-wins.
    - Rework logging for the regression tests. Regression tests will now
      capture separate logs for each ssh and sshd invocation in a test.
    - ssh(1): make `ssh -Q CASignatureAlgorithms` work as the manpage says
      it should.
    - ssh(1): ensure that there is a terminating newline when adding a new
      entry to known_hosts.
    - sshd(8): harden Linux seccomp sandbox. Move to an allowlist of
      mmap(2), madvise(2) and futex(2) flags, removing some concerning
      kernel attack surface.
  * debian/README.Debian: Clarify that you need to restart ssh.socket after
    overriding its ListenStream= option (LP: #2020560).
  * debian/openssh-server.postinst: Use "sshd -G" to parse the server
    configuration file (closes: #959726).
  * Fix incorrect RRSET_FORCE_EDNS0 flags validation in SSHFP DNSSEC patch
    (thanks, Ben Hutchings; closes: #909022).
  * Always use the internal mkdtemp implementation, since it substitutes
    more randomness into the template string than glibc's version (closes:
    #1001186).

 -- Nick Rosbrook <email address hidden> Mon, 03 Jul 2023 11:34:47 -0400