Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.0847 network-manager-ssh security update 10 March 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: network-manager-ssh Publisher: Debian Operating System: Debian GNU/Linux 9 Debian GNU/Linux 10 UNIX variants (UNIX, Linux, OSX) Impact/Access: Execute Arbitrary Code/Commands -- Existing Account Increased Privileges -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2020-9355 Original Bulletin: http://www.debian.org/security/2020/dsa-4637 Comment: This advisory references vulnerabilities in products which run on platforms other than Debian. It is recommended that administrators running network-manager-ssh check for an updated version of the software for their operating system. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-4637-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso March 09, 2020 https://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : network-manager-ssh CVE ID : CVE-2020-9355 Kobus van Schoor discovered that network-manager-ssh, a plugin to provide VPN integration for SSH in NetworkManager, is prone to a privilege escalation vulnerability. A local user with privileges to modify a connection can take advantage of this flaw to execute arbitrary commands as root. This update drops support to pass extra SSH options to the ssh invocation. For the oldstable distribution (stretch), this problem has been fixed in version 1.2.1-1+deb9u1. For the stable distribution (buster), this problem has been fixed in version 1.2.10-1+deb10u1. We recommend that you upgrade your network-manager-ssh packages. For the detailed security status of network-manager-ssh please refer to its security tracker page at: https://security-tracker.debian.org/tracker/network-manager-ssh Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl5mobtfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0RvFA//Xj5V8SOWlWVkhh38GSk3yEkyGsGnZHxtUw10GilQtwVnviwagqcOLv+P QTSW6oQUVPykp7ZSEE0yRZIz+Z8en6tcFySbOdUgp2BMAzw6EN8mJ/bUUAPDJccB r9UnNr9knWS01szMWenwiBC8U+xtNymAoA8bpOLxuiSVAjMQSYakAnKNt8QOcC/O AZ0O9jRnqLxr1BoN2+wDFnAaSttLwNvZUN2uLWGt858ws8PbhZlBpxwdzvANPeAJ mgVPLNbgFa2v2/ycQXuqrr2qsAM5+fAROh/Bm8+xvT17RKGcB9hfM5NQLPiTqf7+ ZfaeJ3vjjuGBx+eMWJKqfju7mBCgS84pqdD6tgQwuESzCx49nV107B3cDrQlfUG5 rRxdyvigjepr+sVE1wLHXYyIENRceZAon7R/eZeD3uWfI7MT31ADv0gA2WTioiJe QSVzAjTRcyOaDP6G/pOAEoONbbx3PQSoDTY2+koO2DIofUfbA8wuyCZoDoeUVs/N 8/QEpT0wWX6Hg9JxVyZZCDrK9mcZbBcBDzk69Tk+y5VAOQ5TB3n3jTAkNCNFt8vM WTJ5C6rCTrou9XLG33iOLm66BE38DfE/Me7V8iWEgss1wUUF6DD9U09gV6v2IeCZ MOyLgD8VGqkhGlVecMW+v3DVpQCa9BFnL+72qgXgpvdhut8/FhE= =nBt0 - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXmb8UGaOgq3Tt24GAQhpsg/+KwnMHOZ0AseKIgBYAZf970qiSgz+9UlM WGmGL71sDmm6IdestJc5AKYzKEoMqtl//fvCoh0QldEWwvYfEPYGicKd5tWu2xKa WPVrOfFNdjQ3BQ6/Cewk8NTpgDNtlFXKL+sRhiZ9DoImqgXpeN57l8UjSmiRmHQ+ yR3OaGhn6pSddxRZqRUgm6UQ9UCgME43Fc9RpBajx7bKvGMDf374AShJ69gaKllN HpUyI36QWco6WFY0IHLjvcjZPi0mKJwDx+EcPdO30GAJz8w02zvRwQG8XKu7I8Cj CSersSr8+EUc4/mt2uLFOnAxv+hQuRN1r3jQ9iGMU18+oUsu9s0AXk1b8lXuELpu O6VqVnMD4NpdB0K2rZIJgwZRtqewasXnMQT7pfBuvfd1XZsMdGp1+qjGweVvjQ0W I/8hU2UCMOfH+DbPh27gNRyW3q3T4N10PdEvwg0Ec8PlecnIV7OS1KjHQm8Blfdf 3eSWWrW5woBNhxWKbqmzLrpzQ2tRayJIv7E2AAxT6Sor4mCPgwLRLJ7D6JooLKA/ XWzDGxtVIqym9xqbtHfmvDNlDU1y5XK0eMEyHJ+okBaqLOb9x+RaTTC7Z6FwV8Xc +/3vdGNmOLwLDrTeuAbCvNhEASTobYltyK4RpbA7QTnX4sVNkOGCCSL7yHMLbYY9 kss9kn+6hQc= =G1zg -----END PGP SIGNATURE-----