# Security update for apache-parent, apache-sshd

Announcement ID: SUSE-SU-2024:0224-1  
Rating: important  
References:

  * bsc#1205463
  * bsc#1218189

  
Cross-References:

  * CVE-2022-45047
  * CVE-2023-48795

  
CVSS scores:

  * CVE-2022-45047 ( NVD ):  9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  * CVE-2023-48795 ( SUSE ):  5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
  * CVE-2023-48795 ( NVD ):  5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

  
Affected Products:

  * Development Tools Module 15-SP5
  * openSUSE Leap 15.5
  * SUSE Enterprise Storage 7.1
  * SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4
  * SUSE Linux Enterprise Desktop 15 SP5
  * SUSE Linux Enterprise High Performance Computing 15 SP2
  * SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2
  * SUSE Linux Enterprise High Performance Computing 15 SP3
  * SUSE Linux Enterprise High Performance Computing 15 SP4
  * SUSE Linux Enterprise High Performance Computing 15 SP5
  * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4
  * SUSE Linux Enterprise High Performance Computing LTSS 15 SP3
  * SUSE Linux Enterprise High Performance Computing LTSS 15 SP4
  * SUSE Linux Enterprise Real Time 15 SP5
  * SUSE Linux Enterprise Server 15 SP2
  * SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2
  * SUSE Linux Enterprise Server 15 SP3
  * SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3
  * SUSE Linux Enterprise Server 15 SP4
  * SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4
  * SUSE Linux Enterprise Server 15 SP5
  * SUSE Linux Enterprise Server for SAP Applications 15 SP2
  * SUSE Linux Enterprise Server for SAP Applications 15 SP3
  * SUSE Linux Enterprise Server for SAP Applications 15 SP4
  * SUSE Linux Enterprise Server for SAP Applications 15 SP5

  
  
An update that solves two vulnerabilities can now be installed.

## Description:

This update for apache-parent, apache-sshd fixes the following issues:

apache-parent was updated from version 28 to 31:

  * Version 31:
  * New Features:
    * Added maven-checkstyle-plugin to pluginManagement
  * Improvements:
    * Set minimalMavenBuildVersion to 3.6.3 - the minimum used by plugins
    * Using an SPDX identifier as the license name is recommended by Maven
    * Use properties to define the versions of plugins
  * Bugs fixed:
    * Updated documentation for previous changes

apache-sshd was updated from version 2.7.0 to 2.12.0:

  * Security issues fixed:
  * CVE-2023-48795: Implemented OpenSSH "strict key exchange" protocol in
    apache-sshd version 2.12.0 (bsc#1218189)
  * CVE-2022-45047: Java unsafe deserialization vulnerability fixed in apache-
    sshd version 2.9.2 (bsc#1205463)

  * Other changes in version 2.12.0:

  * Bugs fixed:
    * SCP client fails silently when error signalled due to missing file or lacking permissions
    * Ignore unknown key types from agent or in OpenSSH host keys extension
  * New Features:
    * Support GIT protocol-v2
  * Other changes in version 2.11.0:
  * Bugs fixed:
    * Added configurable timeout(s) to DefaultSftpClient
    * Compare file keys in ModifiableFileWatcher.
    * Fixed channel pool in SftpFileSystem.
    * Use correct default OpenOptions in SftpFileSystemProvider.newFileChannel().
    * Use correct lock modes for SFTP FileChannel.lock().
    * ScpClient: support issuing commands to a server that uses a non-UTF-8 locale.
    * SftpInputStreamAsync: fix reporting EOF on zero-length reads.
    * Work-around a bug in WS_FTP <= 12.9 SFTP clients.
    * (Regression in 2.10.0) SFTP performance fix: override FilterOutputStream.write(byte[], int, int).
    * Fixed a race condition to ensure SSH_MSG_CHANNEL_EOF is always sent before SSH_MSG_CHANNEL_CLOSE.
    * Fixed error handling while flushing queued packets at end of KEX.
    * Fixed wrong log level on closing an Nio2Session.
    * Fixed detection of Android O/S from system properties.
    * Consider all applicable host keys from the known_hosts files.
    * SftpFileSystem: do not close user session.
    * ChannelAsyncOutputStream: remove write future when done.
    * SSHD-1332 (Regression in 2.10.0) Resolve ~ in IdentityFile file names in HostConfigEntry.
  * New Features:
    * Use KeepAliveHandler global request instance in client as well
    * Publish snapshot maven artifacts to the Apache Snapshots maven repository.
    * Bundle sshd-contrib has support classes for the HAProxy protocol V2.
  * Other changes in version 2.10.0:
  * Bugs fixed:
    * Connection attempt not canceled when a connection timeout occurs
    * Possible OOM in ChannelPipedInputStream
    * SftpRemotePathChannel.transferFrom(...) ignores position argument
    * Rooted file system can leak informations
    * Failed to establish an SSH connection because the server identifier exceeds the int range
  * Improvements:
    * Password in clear in SSHD server's logs
  * Other changes in version 2.9.2:
  * Bugs fixed:
    * SFTP worker threads got stuck while processing PUT methods against one specific SFTP server
    * Use the maximum packet size of the communication partner
    * ExplicitPortForwardingTracker does not unbind auto-allocated one
    * Default SshClient FD leak because Selector not closed
    * Reading again from exhausted ChannelExec#getInvertedOut() throws IOException instead of returning -1
    * Keeping error streams and input streams separate after ChannelExec#setRedirectErrorStream(true) is called
    * Nio2Session.shutdownOutput() should wait for writes in progress
  * Test:
    * Research intermittent failure in unit tests using various I/O service factories
  * Other changes in version 2.9.1:
  * Bugs fixed:
    * ClientSession.auth().verify() is terminated with timeout
    * 2.9.0 release broken on Java 8
    * Infinite loop in org.apache.sshd.sftp.client.impl.SftpInputStreamAsync#doRead
    * Deadlock during session exit
    * Race condition is logged in ChannelAsyncOutputStream
  * Other changes in version 2.9.0:
  * Bugs fixed:
    * Deadlock on disconnection at the end of key-exchange
    * Remote port forwarding mode does not handle EOF properly
    * Public key authentication: wrong signature algorithm used (ed25519 key with ssh-rsa signature)
    * Client fails window adjust above Integer.MAX_VALUE
    * class loader fails to load org.apache.sshd.common.cipher.BaseGCMCipher
    * Shell is not getting closed if the command has already closed the OutputStream it is using.
    * Sometimes async write listener is not called
    * Unhandled SSH_MSG_CHANNEL_WINDOW_ADJUST leeds to SocketTimeoutException
    * different host key algorithm used on rekey than used for the initial connection
    * OpenSSH certificate is not properly encoded when critical options are included
    * TCP/IP remote port forwarding with wildcard IP addresses doesn't work with OpenSSH
    * UserAuthPublicKey: uses ssh-rsa signatures for RSA keys from an agent
  * New Features:
    * Added support for Argon2 encrypted PUTTY key files
    * Added support for merged inverted output and error streams of remote process
  * Improvements:
    * Added support for "limits@openssh.com" SFTP extension
    * Support host-based pubkey authentication in the client
    * Send environment variable and open subsystem at the same time for SSH session
  * Other changes in version 2.8.0:
  * Bugs fixed:
    * Fixed wrong server key algorithm choice
    * Expiration of OpenSshCertificates needs to compare timestamps as unsigned long
    * SFTP Get downloads empty file from servers which supports EOF indication after data
    * skip() doesn't work properly in SftpInputStreamAsync
    * OpenMode and CopyMode is not honored as expected in version > 4 of SFTP api
    * SftpTransferTest sometimes hangs (failure during rekeying)
    * Race condition in KEX
    * Fix the ciphers supported documentation
    * Update tarLongFileMode to use POSIX
    * WinsCP transfer failure to Apache SSHD Server
    * Pubkey auth: keys from ssh-agent are used even if HostConfigEntry.isIdentitiesOnly() is true
    * Support RSA SHA2 signatures via SSH agent
    * NOTICE: wrong copyright year range
    * Wrong creationTime in writeAttrs for SFTP
    * sshd-netty logs all traffic on INFO level
  * New Features:
    * Add support for chacha20-poly1305@openssh.com
    * Parsing of ~/.ssh/config Host patterns fails with extra whitespace
    * Support generating OpenSSH client certificates
  * Improvements:
    * Add support for curve25519-sha256@libssh.org key exchange
    * OpenSSH certificates: check certificate type
    * OpenSSHCertificatesTest: certificates expire in 2030
    * Display IdleTimeOut in more user-friendly format
    * sendChunkIfRemoteWindowIsSmallerThanPacketSize flag in ChannelAsyncOutputStream constructor configurable from outside using variable/config file
    * Intercepting the server exception message from server in SSHD client
    * Implement RFC 8332 server-sig-algs on the server
    * Slow performance listing huge number of files on Apache SSHD server
    * SFTP: too many LSTAT calls
    * Support key constraints when adding a key to an SSH agent
    * Add SFTP server side file custom attributes hook

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".  
Alternatively you can run the command listed for your product:

  * openSUSE Leap 15.5  
    zypper in -t patch openSUSE-SLE-15.5-2024-224=1

  * Development Tools Module 15-SP5  
    zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP5-2024-224=1

  * SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2  
    zypper in -t patch SUSE-SLE-Product-HPC-15-SP2-LTSS-2024-224=1

  * SUSE Linux Enterprise High Performance Computing LTSS 15 SP3  
    zypper in -t patch SUSE-SLE-Product-HPC-15-SP3-LTSS-2024-224=1

  * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4  
    zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-ESPOS-2024-224=1

  * SUSE Linux Enterprise High Performance Computing LTSS 15 SP4  
    zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-LTSS-2024-224=1

  * SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4  
    zypper in -t patch SUSE-SLE-Product-SLED-15-SP4-LTSS-2024-224=1

  * SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2  
    zypper in -t patch SUSE-SLE-Product-SLES-15-SP2-LTSS-2024-224=1

  * SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3  
    zypper in -t patch SUSE-SLE-Product-SLES-15-SP3-LTSS-2024-224=1

  * SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4  
    zypper in -t patch SUSE-SLE-Product-SLES-15-SP4-LTSS-2024-224=1

  * SUSE Linux Enterprise Server for SAP Applications 15 SP2  
    zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP2-2024-224=1

  * SUSE Linux Enterprise Server for SAP Applications 15 SP3  
    zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP3-2024-224=1

  * SUSE Linux Enterprise Server for SAP Applications 15 SP4  
    zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP4-2024-224=1

  * SUSE Enterprise Storage 7.1  
    zypper in -t patch SUSE-Storage-7.1-2024-224=1

## Package List:

  * openSUSE Leap 15.5 (noarch)
    * apache-parent-31-150200.3.12.1
    * apache-sshd-javadoc-2.12.0-150200.5.8.1
    * apache-sshd-2.12.0-150200.5.8.1
  * Development Tools Module 15-SP5 (noarch)
    * apache-sshd-2.12.0-150200.5.8.1
  * SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (noarch)
    * apache-sshd-2.12.0-150200.5.8.1
  * SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (noarch)
    * apache-sshd-2.12.0-150200.5.8.1
  * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (noarch)
    * apache-sshd-2.12.0-150200.5.8.1
  * SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (noarch)
    * apache-sshd-2.12.0-150200.5.8.1
  * SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 (noarch)
    * apache-sshd-2.12.0-150200.5.8.1
  * SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (noarch)
    * apache-sshd-2.12.0-150200.5.8.1
  * SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (noarch)
    * apache-sshd-2.12.0-150200.5.8.1
  * SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (noarch)
    * apache-sshd-2.12.0-150200.5.8.1
  * SUSE Linux Enterprise Server for SAP Applications 15 SP2 (noarch)
    * apache-sshd-2.12.0-150200.5.8.1
  * SUSE Linux Enterprise Server for SAP Applications 15 SP3 (noarch)
    * apache-sshd-2.12.0-150200.5.8.1
  * SUSE Linux Enterprise Server for SAP Applications 15 SP4 (noarch)
    * apache-sshd-2.12.0-150200.5.8.1
  * SUSE Enterprise Storage 7.1 (noarch)
    * apache-sshd-2.12.0-150200.5.8.1

## References:

  * https://www.suse.com/security/cve/CVE-2022-45047.html
  * https://www.suse.com/security/cve/CVE-2023-48795.html
  * https://bugzilla.suse.com/show_bug.cgi?id=1205463
  * https://bugzilla.suse.com/show_bug.cgi?id=1218189

SUSE: 2024:0224-1 important: apache-parent, apache-sshd

January 25, 2024
* bsc#1205463 * bsc#1218189 Cross-References: * CVE-2022-45047

Summary

## This update for apache-parent, apache-sshd fixes the following issues: apache-parent was updated from version 28 to 31: * Version 31: * New Features: * Added maven-checkstyle-plugin to pluginManagement * Improvements: * Set minimalMavenBuildVersion to 3.6.3 - the minimum used by plugins * Using an SPDX identifier as the license name is recommended by Maven * Use properties to define the versions of plugins * Bugs fixed: * Updated documentation for previous changes apache-sshd was updated from version 2.7.0 to 2.12.0: * Security issues fixed: * CVE-2023-48795: Implemented OpenSSH "strict key exchange" protocol in apache-sshd version 2.12.0 (bsc#1218189) * CVE-2022-45047: Java unsafe deserialization vulnerability fixed in apache- sshd version 2.9.2 (bsc#1205463) * Other changes in version 2.12.0: * Bugs fixed: * SCP client fails silently when error signalled due to missing file or lacking permissions * Ignore unknown key types from agent or in OpenSSH host keys extension * New Features: * Support GIT protocol-v2 * Other changes in version 2.11.0: * Bugs fixed: * Added configurable timeout(s) to DefaultSftpClient * Compare file keys in ModifiableFileWatcher. * Fixed channel pool in SftpFileSystem. * Use correct default OpenOptions in SftpFileSystemProvider.newFileChannel(). * Use correct lock modes for SFTP FileChannel.lock(). * ScpClient: support issuing commands to a server that uses a non-UTF-8 locale. * SftpInputStreamAsync: fix reporting EOF on zero-length reads. * Work-around a bug in WS_FTP <= 12.9 SFTP clients. * (Regression in 2.10.0) SFTP performance fix: override FilterOutputStream.write(byte[], int, int). * Fixed a race condition to ensure SSH_MSG_CHANNEL_EOF is always sent before SSH_MSG_CHANNEL_CLOSE. * Fixed error handling while flushing queued packets at end of KEX. * Fixed wrong log level on closing an Nio2Session. * Fixed detection of Android O/S from system properties. * Consider all applicable host keys from the known_hosts files. * SftpFileSystem: do not close user session. * ChannelAsyncOutputStream: remove write future when done. * SSHD-1332 (Regression in 2.10.0) Resolve ~ in IdentityFile file names in HostConfigEntry. * New Features: * Use KeepAliveHandler global request instance in client as well * Publish snapshot maven artifacts to the Apache Snapshots maven repository. * Bundle sshd-contrib has support classes for the HAProxy protocol V2. * Other changes in version 2.10.0: * Bugs fixed: * Connection attempt not canceled when a connection timeout occurs * Possible OOM in ChannelPipedInputStream * SftpRemotePathChannel.transferFrom(...) ignores position argument * Rooted file system can leak informations * Failed to establish an SSH connection because the server identifier exceeds the int range * Improvements: * Password in clear in SSHD server's logs * Other changes in version 2.9.2: * Bugs fixed: * SFTP worker threads got stuck while processing PUT methods against one specific SFTP server * Use the maximum packet size of the communication partner * ExplicitPortForwardingTracker does not unbind auto-allocated one * Default SshClient FD leak because Selector not closed * Reading again from exhausted ChannelExec#getInvertedOut() throws IOException instead of returning -1 * Keeping error streams and input streams separate after ChannelExec#setRedirectErrorStream(true) is called * Nio2Session.shutdownOutput() should wait for writes in progress * Test: * Research intermittent failure in unit tests using various I/O service factories * Other changes in version 2.9.1: * Bugs fixed: * ClientSession.auth().verify() is terminated with timeout * 2.9.0 release broken on Java 8 * Infinite loop in org.apache.sshd.sftp.client.impl.SftpInputStreamAsync#doRead * Deadlock during session exit * Race condition is logged in ChannelAsyncOutputStream * Other changes in version 2.9.0: * Bugs fixed: * Deadlock on disconnection at the end of key-exchange * Remote port forwarding mode does not handle EOF properly * Public key authentication: wrong signature algorithm used (ed25519 key with ssh-rsa signature) * Client fails window adjust above Integer.MAX_VALUE * class loader fails to load org.apache.sshd.common.cipher.BaseGCMCipher * Shell is not getting closed if the command has already closed the OutputStream it is using. * Sometimes async write listener is not called * Unhandled SSH_MSG_CHANNEL_WINDOW_ADJUST leeds to SocketTimeoutException * different host key algorithm used on rekey than used for the initial connection * OpenSSH certificate is not properly encoded when critical options are included * TCP/IP remote port forwarding with wildcard IP addresses doesn't work with OpenSSH * UserAuthPublicKey: uses ssh-rsa signatures for RSA keys from an agent * New Features: * Added support for Argon2 encrypted PUTTY key files * Added support for merged inverted output and error streams of remote process * Improvements: * Added support for "limits@openssh.com" SFTP extension * Support host-based pubkey authentication in the client * Send environment variable and open subsystem at the same time for SSH session * Other changes in version 2.8.0: * Bugs fixed: * Fixed wrong server key algorithm choice * Expiration of OpenSshCertificates needs to compare timestamps as unsigned long * SFTP Get downloads empty file from servers which supports EOF indication after data * skip() doesn't work properly in SftpInputStreamAsync * OpenMode and CopyMode is not honored as expected in version > 4 of SFTP api * SftpTransferTest sometimes hangs (failure during rekeying) * Race condition in KEX * Fix the ciphers supported documentation * Update tarLongFileMode to use POSIX * WinsCP transfer failure to Apache SSHD Server * Pubkey auth: keys from ssh-agent are used even if HostConfigEntry.isIdentitiesOnly() is true * Support RSA SHA2 signatures via SSH agent * NOTICE: wrong copyright year range * Wrong creationTime in writeAttrs for SFTP * sshd-netty logs all traffic on INFO level * New Features: * Add support for chacha20-poly1305@openssh.com * Parsing of ~/.ssh/config Host patterns fails with extra whitespace * Support generating OpenSSH client certificates * Improvements: * Add support for curve25519-sha256@libssh.org key exchange * OpenSSH certificates: check certificate type * OpenSSHCertificatesTest: certificates expire in 2030 * Display IdleTimeOut in more user-friendly format * sendChunkIfRemoteWindowIsSmallerThanPacketSize flag in ChannelAsyncOutputStream constructor configurable from outside using variable/config file * Intercepting the server exception message from server in SSHD client * Implement RFC 8332 server-sig-algs on the server * Slow performance listing huge number of files on Apache SSHD server * SFTP: too many LSTAT calls * Support key constraints when adding a key to an SSH agent * Add SFTP server side file custom attributes hook ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * openSUSE Leap 15.5 zypper in -t patch openSUSE-SLE-15.5-2024-224=1 * Development Tools Module 15-SP5 zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP5-2024-224=1 * SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 zypper in -t patch SUSE-SLE-Product-HPC-15-SP2-LTSS-2024-224=1 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 zypper in -t patch SUSE-SLE-Product-HPC-15-SP3-LTSS-2024-224=1 * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-ESPOS-2024-224=1 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-LTSS-2024-224=1 * SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 zypper in -t patch SUSE-SLE-Product-SLED-15-SP4-LTSS-2024-224=1 * SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 zypper in -t patch SUSE-SLE-Product-SLES-15-SP2-LTSS-2024-224=1 * SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 zypper in -t patch SUSE-SLE-Product-SLES-15-SP3-LTSS-2024-224=1 * SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 zypper in -t patch SUSE-SLE-Product-SLES-15-SP4-LTSS-2024-224=1 * SUSE Linux Enterprise Server for SAP Applications 15 SP2 zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP2-2024-224=1 * SUSE Linux Enterprise Server for SAP Applications 15 SP3 zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP3-2024-224=1 * SUSE Linux Enterprise Server for SAP Applications 15 SP4 zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP4-2024-224=1 * SUSE Enterprise Storage 7.1 zypper in -t patch SUSE-Storage-7.1-2024-224=1 ## Package List: * openSUSE Leap 15.5 (noarch) * apache-parent-31-150200.3.12.1 * apache-sshd-javadoc-2.12.0-150200.5.8.1 * apache-sshd-2.12.0-150200.5.8.1 * Development Tools Module 15-SP5 (noarch) * apache-sshd-2.12.0-150200.5.8.1 * SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (noarch) * apache-sshd-2.12.0-150200.5.8.1 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (noarch) * apache-sshd-2.12.0-150200.5.8.1 * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (noarch) * apache-sshd-2.12.0-150200.5.8.1 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (noarch) * apache-sshd-2.12.0-150200.5.8.1 * SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 (noarch) * apache-sshd-2.12.0-150200.5.8.1 * SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (noarch) * apache-sshd-2.12.0-150200.5.8.1 * SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (noarch) * apache-sshd-2.12.0-150200.5.8.1 * SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (noarch) * apache-sshd-2.12.0-150200.5.8.1 * SUSE Linux Enterprise Server for SAP Applications 15 SP2 (noarch) * apache-sshd-2.12.0-150200.5.8.1 * SUSE Linux Enterprise Server for SAP Applications 15 SP3 (noarch) * apache-sshd-2.12.0-150200.5.8.1 * SUSE Linux Enterprise Server for SAP Applications 15 SP4 (noarch) * apache-sshd-2.12.0-150200.5.8.1 * SUSE Enterprise Storage 7.1 (noarch) * apache-sshd-2.12.0-150200.5.8.1

References

* bsc#1205463

* bsc#1218189

Cross-

* CVE-2022-45047

* CVE-2023-48795

CVSS scores:

* CVE-2022-45047 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

* CVE-2023-48795 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

* CVE-2023-48795 ( NVD ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

Affected Products:

* Development Tools Module 15-SP5

* openSUSE Leap 15.5

* SUSE Enterprise Storage 7.1

* SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4

* SUSE Linux Enterprise Desktop 15 SP5

* SUSE Linux Enterprise High Performance Computing 15 SP2

* SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2

* SUSE Linux Enterprise High Performance Computing 15 SP3

* SUSE Linux Enterprise High Performance Computing 15 SP4

* SUSE Linux Enterprise High Performance Computing 15 SP5

* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4

* SUSE Linux Enterprise High Performance Computing LTSS 15 SP3

* SUSE Linux Enterprise High Performance Computing LTSS 15 SP4

* SUSE Linux Enterprise Real Time 15 SP5

* SUSE Linux Enterprise Server 15 SP2

* SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2

* SUSE Linux Enterprise Server 15 SP3

* SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3

* SUSE Linux Enterprise Server 15 SP4

* SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4

* SUSE Linux Enterprise Server 15 SP5

* SUSE Linux Enterprise Server for SAP Applications 15 SP2

* SUSE Linux Enterprise Server for SAP Applications 15 SP3

* SUSE Linux Enterprise Server for SAP Applications 15 SP4

* SUSE Linux Enterprise Server for SAP Applications 15 SP5

An update that solves two vulnerabilities can now be installed.

##

* https://www.suse.com/security/cve/CVE-2022-45047.html

* https://www.suse.com/security/cve/CVE-2023-48795.html

* https://bugzilla.suse.com/show_bug.cgi?id=1205463

* https://bugzilla.suse.com/show_bug.cgi?id=1218189

Severity
Announcement ID: SUSE-SU-2024:0224-1
Rating: important

Related News

News

Powered By

Footer Logo

Linux Security - Your source for Top Linux News, Advisories, HowTo's and Feature Release.

Powered By

Footer Logo