ALAS-2023-1794

An issue was discovered in OpenSSH 7.4 on Amazon Linux 2 and Amazon Linux 1. The fix for CVE-2019-6111 only covered cases where an absolute path is passed to scp. When a relative path is used there is no verification that the name of a file received by the client matches the file requested. (CVE-2023-35812)

i686:
    openssh-clients-7.4p1-22.78.amzn1.i686
    openssh-debuginfo-7.4p1-22.78.amzn1.i686
    openssh-keycat-7.4p1-22.78.amzn1.i686
    openssh-ldap-7.4p1-22.78.amzn1.i686
    openssh-server-7.4p1-22.78.amzn1.i686
    openssh-cavs-7.4p1-22.78.amzn1.i686
    pam_ssh_agent_auth-0.10.3-2.22.78.amzn1.i686
    openssh-7.4p1-22.78.amzn1.i686

src:
    openssh-7.4p1-22.78.amzn1.src

x86_64:
    openssh-server-7.4p1-22.78.amzn1.x86_64
    openssh-7.4p1-22.78.amzn1.x86_64
    pam_ssh_agent_auth-0.10.3-2.22.78.amzn1.x86_64
    openssh-ldap-7.4p1-22.78.amzn1.x86_64
    openssh-clients-7.4p1-22.78.amzn1.x86_64
    openssh-cavs-7.4p1-22.78.amzn1.x86_64
    openssh-debuginfo-7.4p1-22.78.amzn1.x86_64
    openssh-keycat-7.4p1-22.78.amzn1.x86_64