| Beschreibung: | Summary:
The remote host is missing an update for the 'apache-parent, apache-sshd' package(s) announced via the SUSE-SU-2024:0224-1 advisory.
Vulnerability Insight:
This update for apache-parent, apache-sshd fixes the following issues:
apache-parent was updated from version 28 to 31:
- Version 31:
* New Features:
+ Added maven-checkstyle-plugin to pluginManagement
* Improvements:
+ Set minimalMavenBuildVersion to 3.6.3 - the minimum
used by plugins
+ Using an SPDX identifier as the license name is
recommended by Maven
+ Use properties to define the versions of plugins
* Bugs fixed:
+ Updated documentation for previous changes
apache-sshd was updated from version 2.7.0 to 2.12.0:
- Security issues fixed:
* CVE-2023-48795: Implemented OpenSSH 'strict key exchange' protocol in apache-sshd version 2.12.0 (bsc#1218189)
* CVE-2022-45047: Java unsafe deserialization vulnerability fixed in apache-sshd version 2.9.2 (bsc#1205463)
- Other changes in version 2.12.0:
* Bugs fixed:
+ SCP client fails silently when error signalled due to missing file or lacking permissions
+ Ignore unknown key types from agent or in OpenSSH host keys extension
* New Features:
+ Support GIT protocol-v2
- Other changes in version 2.11.0:
* Bugs fixed:
+ Added configurable timeout(s) to DefaultSftpClient
+ Compare file keys in ModifiableFileWatcher.
+ Fixed channel pool in SftpFileSystem.
+ Use correct default OpenOptions in SftpFileSystemProvider.newFileChannel().
+ Use correct lock modes for SFTP FileChannel.lock().
+ ScpClient: support issuing commands to a server that uses a non-UTF-8 locale.
+ SftpInputStreamAsync: fix reporting EOF on zero-length reads.
+ Work-around a bug in WS_FTP <= 12.9 SFTP clients.
+ (Regression in 2.10.0) SFTP performance fix: override FilterOutputStream.write(byte[], int, int).
+ Fixed a race condition to ensure SSH_MSG_CHANNEL_EOF is always sent before SSH_MSG_CHANNEL_CLOSE.
+ Fixed error handling while flushing queued packets at end of KEX.
+ Fixed wrong log level on closing an Nio2Session.
+ Fixed detection of Android O/S from system properties.
+ Consider all applicable host keys from the known_hosts files.
+ SftpFileSystem: do not close user session.
+ ChannelAsyncOutputStream: remove write future when done.
+ SSHD-1332 (Regression in 2.10.0) Resolve ~
in IdentityFile file names in HostConfigEntry.
* New Features:
+ Use KeepAliveHandler global request instance in client as well
+ Publish snapshot maven artifacts to the Apache Snapshots maven repository.
+ Bundle sshd-contrib has support classes for the HAProxy protocol V2.
- Other changes in version 2.10.0:
* Bugs fixed:
+ Connection attempt not canceled when a connection timeout occurs
+ Possible OOM in ChannelPipedInputStream
+ SftpRemotePathChannel.transferFrom(...) ignores position argument
+ Rooted file system can leak informations
+ Failed to establish an SSH connection because the server identifier exceeds the int range
* Improvements:
+ Password in clear in SSHD server's logs
- Other changes in version 2.9.2:
* Bugs ... [Please see the references for more information on the vulnerabilities]
Affected Software/OS:
'apache-parent, apache-sshd' package(s) on openSUSE Leap 15.5.
Solution:
Please install the updated package(s).
CVSS Score:
10.0
CVSS Vector:
AV:N/AC:L/Au:N/C:C/I:C/A:C
|
