ALAS2-2023-2176

The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if the target user's ssh-agent is forwarded to an attacker-controlled system (the code in /usr/lib is not necessarily safe for loading into ssh-agent). Exploitation can also be prevented by starting ssh-agent with an empty PKCS#11/FIDO allowlist (ssh-agent -P '') or by configuring an allowlist that contains only specific provider libraries. NOTE: this issue exists because of an incomplete fix for CVE-2016-10009. (CVE-2023-38408)

aarch64:
    openssh-7.4p1-22.amzn2.0.3.aarch64
    openssh-clients-7.4p1-22.amzn2.0.3.aarch64
    openssh-server-7.4p1-22.amzn2.0.3.aarch64
    openssh-server-sysvinit-7.4p1-22.amzn2.0.3.aarch64
    openssh-ldap-7.4p1-22.amzn2.0.3.aarch64
    openssh-keycat-7.4p1-22.amzn2.0.3.aarch64
    openssh-askpass-7.4p1-22.amzn2.0.3.aarch64
    openssh-cavs-7.4p1-22.amzn2.0.3.aarch64
    pam_ssh_agent_auth-0.10.3-2.22.amzn2.0.3.aarch64
    openssh-debuginfo-7.4p1-22.amzn2.0.3.aarch64

i686:
    openssh-7.4p1-22.amzn2.0.3.i686
    openssh-clients-7.4p1-22.amzn2.0.3.i686
    openssh-server-7.4p1-22.amzn2.0.3.i686
    openssh-server-sysvinit-7.4p1-22.amzn2.0.3.i686
    openssh-ldap-7.4p1-22.amzn2.0.3.i686
    openssh-keycat-7.4p1-22.amzn2.0.3.i686
    openssh-askpass-7.4p1-22.amzn2.0.3.i686
    openssh-cavs-7.4p1-22.amzn2.0.3.i686
    pam_ssh_agent_auth-0.10.3-2.22.amzn2.0.3.i686
    openssh-debuginfo-7.4p1-22.amzn2.0.3.i686

src:
    openssh-7.4p1-22.amzn2.0.3.src

x86_64:
    openssh-7.4p1-22.amzn2.0.3.x86_64
    openssh-clients-7.4p1-22.amzn2.0.3.x86_64
    openssh-server-7.4p1-22.amzn2.0.3.x86_64
    openssh-server-sysvinit-7.4p1-22.amzn2.0.3.x86_64
    openssh-ldap-7.4p1-22.amzn2.0.3.x86_64
    openssh-keycat-7.4p1-22.amzn2.0.3.x86_64
    openssh-askpass-7.4p1-22.amzn2.0.3.x86_64
    openssh-cavs-7.4p1-22.amzn2.0.3.x86_64
    pam_ssh_agent_auth-0.10.3-2.22.amzn2.0.3.x86_64
    openssh-debuginfo-7.4p1-22.amzn2.0.3.x86_64