mirror of
https://git.yoctoproject.org/poky
synced 2026-04-30 21:32:13 +02:00
e01d123ba1
The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009. References: https://nvd.nist.gov/vuln/detail/CVE-2023-38408 Upstream patches:892506b1361f2731f5d729ef8a0486099cdf59ce(From OE-Core rev: 3c01159ab6a843fc922cf779b022c965d4ecd453) Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>