ssh: Fix cases where error codes were not correctly set
Obtained from: OpenSSH 38df39ecf278
Security: CVE-2025-26465
Security: FreeBSD-SA-25:05.openssh
Approved by: so
Sponsored by: The FreeBSD Foundation
(cherry picked from commit 170059d6d33cf4e890067097f3c0beb3061cabbd)
(cherry picked from commit 4ad8c195cf54411e3b3fa0bec227eb83ca078404)
(cherry picked from commit 8c67967cb14b0ab7e26ffa9ab6cef470a154e030)
ssh: Fix cases where error codes were not correctly set
Obtained from: OpenSSH 38df39ecf278
Security: CVE-2025-26465
Security: FreeBSD-SA-25:05.openssh
Approved by: so
Sponsored by: The FreeBSD Foundation
(cherry picked from commit 170059d6d33cf4e890067097f3c0beb3061cabbd)
(cherry picked from commit 4ad8c195cf54411e3b3fa0bec227eb83ca078404)
ssh: Fix cases where error codes were not correctly set
Obtained from: OpenSSH 38df39ecf278
Security: CVE-2025-26465
Security: FreeBSD-SA-25:05.openssh
Approved by: so
Sponsored by: The FreeBSD Foundation
(cherry picked from commit 170059d6d33cf4e890067097f3c0beb3061cabbd)
(cherry picked from commit 4ad8c195cf54411e3b3fa0bec227eb83ca078404)
ssh: Fix cases where error codes were not correctly set
Obtained from: OpenSSH 38df39ecf278
Security: CVE-2025-26465
Approved by: so
Sponsored by: The FreeBSD Foundation
(cherry picked from commit 170059d6d33cf4e890067097f3c0beb3061cabbd)
(cherry picked from commit 4ad8c195cf54411e3b3fa0bec227eb83ca078404)
(cherry picked from commit 8c67967cb14b0ab7e26ffa9ab6cef470a154e030)
Approved by: re (implicit)
ssh: Fix cases where error codes were not correctly set
Obtained from: OpenSSH 38df39ecf278
Security: CVE-2025-26465
Approved by: so
Sponsored by: The FreeBSD Foundation
(cherry picked from commit 170059d6d33cf4e890067097f3c0beb3061cabbd)
(cherry picked from commit 4ad8c195cf54411e3b3fa0bec227eb83ca078404)
ssh: Fix cases where error codes were not correctly set
Obtained from: OpenSSH 38df39ecf278
Security: CVE-2025-26465
Approved by: so
Sponsored by: The FreeBSD Foundation
(cherry picked from commit 170059d6d33cf4e890067097f3c0beb3061cabbd)
ssh: Fix cases where error codes were not correctly set
Obtained from: OpenSSH 38df39ecf278
Security: CVE-2025-26465
Sponsored by: The FreeBSD Foundation
FreeBSD/src b16cb28 — crypto/openssh ChangeLog servconf.c, crypto/openssh/regress Makefile channel-timeout.sh
ssh: Update to OpenSSH 9.7p1
This release contains mostly bugfixes.
It also makes support for the DSA signature algorithm a compile-time
option, with plans to disable it upstream later this year and remove
support entirely in 2025.
Full release notes at https://www.openssh.com/txt/release-9.7
Relnotes: Yes
Sponsored by: The FreeBSD Foundation
(cherry picked from commit a91a246563dffa876a52f53a98de4af9fa364c52)
(cherry picked from commit 464fa66f639bdc8e340dd3f640af4309530d48ca)
FreeBSD/src 464fa66 — crypto/openssh ChangeLog servconf.c, crypto/openssh/regress Makefile channel-timeout.sh
ssh: Update to OpenSSH 9.7p1
This release contains mostly bugfixes.
It also makes support for the DSA signature algorithm a compile-time
option, with plans to disable it upstream later this year and remove
support entirely in 2025.
Full release notes at https://www.openssh.com/txt/release-9.7
Relnotes: Yes
Sponsored by: The FreeBSD Foundation
(cherry picked from commit a91a246563dffa876a52f53a98de4af9fa364c52)
FreeBSD/src a91a246 — crypto/openssh ChangeLog servconf.c, crypto/openssh/regress Makefile channel-timeout.sh
ssh: Update to OpenSSH 9.7p1
This release contains mostly bugfixes.
It also makes support for the DSA signature algorithm a compile-time
option, with plans to disable it upstream later this year and remove
support entirely in 2025.
Full release notes at https://www.openssh.com/txt/release-9.7
Relnotes: Yes
Sponsored by: The FreeBSD Foundation
FreeBSD/src 2cd20d9 — crypto/openssh ChangeLog moduli, crypto/openssh/regress agent-pkcs11-restrict.sh test-exec.sh
ssh: Update to OpenSSH 9.6p1
From the release notes,
> This release contains a number of security fixes, some small features
> and bugfixes.
The most significant change in 9.6p1 is a set of fixes for a newly-
discovered weakness in the SSH transport protocol. The fix was already
merged into FreeBSD and released as FreeBSD-SA-23:19.openssh.
Full release notes at https://www.openssh.com/txt/release-9.6
Relnotes: Yes
Sponsored by: The FreeBSD Foundation
(cherry picked from commit 069ac18495ad8fde2748bc94b0f80a50250bb01d)
(cherry picked from commit a25789646d7130f5be166cac63d5c8b2b07c4706)
FreeBSD/src f26eafd — crypto/openssh ChangeLog moduli, crypto/openssh/openbsd-compat libressl-api-compat.c openssl-compat.h
ssh: Update to OpenSSH 9.4p1
Excerpts from the release notes:
* ssh-agent(1): PKCS#11 modules must now be specified by their full
paths. Previously dlopen(3) could search for them in system
library directories.
* ssh(1): allow forwarding Unix Domain sockets via ssh -W.
* ssh(1): add support for configuration tags to ssh(1).
This adds a ssh_config(5) "Tag" directive and corresponding
"Match tag" predicate that may be used to select blocks of
configuration similar to the pf.conf(5) keywords of the same
name.
* ssh(1): add a "match localnetwork" predicate. This allows matching
on the addresses of available network interfaces and may be used to
vary the effective client configuration based on network location.
[19 lines not shown]FreeBSD/src a257896 — crypto/openssh ChangeLog moduli, crypto/openssh/regress agent-pkcs11-restrict.sh test-exec.sh
ssh: Update to OpenSSH 9.6p1
From the release notes,
> This release contains a number of security fixes, some small features
> and bugfixes.
The most significant change in 9.6p1 is a set of fixes for a newly-
discovered weakness in the SSH transport protocol. The fix was already
merged into FreeBSD and released as FreeBSD-SA-23:19.openssh.
Full release notes at https://www.openssh.com/txt/release-9.6
Relnotes: Yes
Sponsored by: The FreeBSD Foundation
(cherry picked from commit 069ac18495ad8fde2748bc94b0f80a50250bb01d)
FreeBSD/src 069ac18 — crypto/openssh ChangeLog moduli, crypto/openssh/regress agent-pkcs11-restrict.sh test-exec.sh
ssh: Update to OpenSSH 9.6p1
From the release notes,
> This release contains a number of security fixes, some small features
> and bugfixes.
The most significant change in 9.6p1 is a set of fixes for a newly-
discovered weakness in the SSH transport protocol. The fix was already
merged into FreeBSD and released as FreeBSD-SA-23:19.openssh.
Full release notes at https://www.openssh.com/txt/release-9.6
Relnotes: Yes
Sponsored by: The FreeBSD Foundation
FreeBSD/src 535af61 — crypto/openssh ChangeLog moduli, crypto/openssh/openbsd-compat libressl-api-compat.c openssl-compat.h
ssh: Update to OpenSSH 9.4p1
Excerpts from the release notes:
* ssh-agent(1): PKCS#11 modules must now be specified by their full
paths. Previously dlopen(3) could search for them in system
library directories.
* ssh(1): allow forwarding Unix Domain sockets via ssh -W.
* ssh(1): add support for configuration tags to ssh(1).
This adds a ssh_config(5) "Tag" directive and corresponding
"Match tag" predicate that may be used to select blocks of
configuration similar to the pf.conf(5) keywords of the same
name.
* ssh(1): add a "match localnetwork" predicate. This allows matching
on the addresses of available network interfaces and may be used to
vary the effective client configuration based on network location.
[16 lines not shown]FreeBSD/src 20bcfc3 — crypto/openssh ChangeLog ssh-agent.1, crypto/openssh/contrib/suse openssh.spec
ssh: Update to OpenSSH 9.3p2
Approved by: so
Security: FreeBSD-SA-23:08.ssh
Security: CVE-2023-38408
ssh: Apply CVE-2023-38408 fix from OpenSSH 9.3p2
Approved by: so
Security: FreeBSD-SA-23:08.ssh
Security: CVE-2023-38408
ssh: disallow loading PKCS#11 modules by default
This is the rest of the OpenSSH 9.3p2 change to address CVE-2023-38408.
From the release notes:
* ssh-agent(8): the agent will now refuse requests to load PKCS#11
modules issued by remote clients by default. A flag has been added
to restore the previous behaviour "-Oallow-remote-pkcs11".
Note that ssh-agent(8) depends on the SSH client to identify
requests that are remote. The OpenSSH >=8.9 ssh(1) client does
this, but forwarding access to an agent socket using other tools
may circumvent this restriction.
Security: CVE-2023-38408
Sponsored by: The FreeBSD Foundation
ssh-agent: document "-O no-restrict-websafe"
OpenSSH commits 9fd2441113fc and 4a4883664d6b, which are part of
OpenSSH 9.2p1.
Sponsored by: The FreeBSD Foundation
FreeBSD/src d578a19 — crypto/openssh ChangeLog ssh-agent.1, crypto/openssh/contrib/redhat openssh.spec
ssh: Update to OpenSSH 9.3p2
From the release notes:
Changes since OpenSSH 9.3
=========================
This release fixes a security bug.
Security
========
Fix CVE-2023-38408 - a condition where specific libaries loaded via
ssh-agent(1)'s PKCS#11 support could be abused to achieve remote
code execution via a forwarded agent socket if the following
conditions are met:
* Exploitation requires the presence of specific libraries on
the victim system.
[30 lines not shown]ssh: Update to OpenSSH 9.3p2
From the release notes:
Changes since OpenSSH 9.3
=========================
This release fixes a security bug.
Security
========
Fix CVE-2023-38408 - a condition where specific libaries loaded via
ssh-agent(1)'s PKCS#11 support could be abused to achieve remote
code execution via a forwarded agent socket if the following
conditions are met:
* Exploitation requires the presence of specific libraries on
the victim system.
[28 lines not shown]FreeBSD/src 43ad407 — crypto/openssh ChangeLog progressmeter.c, crypto/openssh/openbsd-compat bsd-snprintf.c
ssh: Update to OpenSSH 9.3p1
This release fixes a number of security bugs and has minor new
features and bug fixes. Security fixes, from the release notes
(https://www.openssh.com/txt/release-9.3):
This release contains fixes for a security problem and a memory
safety problem. The memory safety problem is not believed to be
exploitable, but we report most network-reachable memory faults as
security bugs.
* ssh-add(1): when adding smartcard keys to ssh-agent(1) with the
per-hop destination constraints (ssh-add -h ...) added in OpenSSH
8.9, a logic error prevented the constraints from being
communicated to the agent. This resulted in the keys being added
without constraints. The common cases of non-smartcard keys and
keys without destination constraints are unaffected. This problem
was reported by Luci Stanescu.
[19 lines not shown]FreeBSD/src 802b483 — crypto/openssh ChangeLog progressmeter.c, crypto/openssh/openbsd-compat bsd-snprintf.c
ssh: Update to OpenSSH 9.3p1
This release fixes a number of security bugs and has minor new
features and bug fixes. Security fixes, from the release notes
(https://www.openssh.com/txt/release-9.3):
This release contains fixes for a security problem and a memory
safety problem. The memory safety problem is not believed to be
exploitable, but we report most network-reachable memory faults as
security bugs.
* ssh-add(1): when adding smartcard keys to ssh-agent(1) with the
per-hop destination constraints (ssh-add -h ...) added in OpenSSH
8.9, a logic error prevented the constraints from being
communicated to the agent. This resulted in the keys being added
without constraints. The common cases of non-smartcard keys and
keys without destination constraints are unaffected. This problem
was reported by Luci Stanescu.
[19 lines not shown]FreeBSD/src 4d3fc8b — crypto/openssh ChangeLog progressmeter.c, crypto/openssh/openbsd-compat bsd-snprintf.c
ssh: Update to OpenSSH 9.3p1
This release fixes a number of security bugs and has minor new
features and bug fixes. Security fixes, from the release notes
(https://www.openssh.com/txt/release-9.3):
This release contains fixes for a security problem and a memory
safety problem. The memory safety problem is not believed to be
exploitable, but we report most network-reachable memory faults as
security bugs.
* ssh-add(1): when adding smartcard keys to ssh-agent(1) with the
per-hop destination constraints (ssh-add -h ...) added in OpenSSH
8.9, a logic error prevented the constraints from being
communicated to the agent. This resulted in the keys being added
without constraints. The common cases of non-smartcard keys and
keys without destination constraints are unaffected. This problem
was reported by Luci Stanescu.
[15 lines not shown]ssh: update to OpenSSH 9.2p1
Release notes are available at https://www.openssh.com/txt/release-9.2
OpenSSH 9.2 contains fixes for two security problems and a memory safety
problem. The memory safety problem is not believed to be exploitable.
These fixes have already been committed to OpenSSH 9.1 in FreeBSD.
Some other notable items from the release notes:
* ssh(1): add a new EnableEscapeCommandline ssh_config(5) option that
controls whether the client-side ~C escape sequence that provides a
command-line is available. Among other things, the ~C command-line
could be used to add additional port-forwards at runtime.
* sshd(8): add support for channel inactivity timeouts via a new
sshd_config(5) ChannelTimeout directive. This allows channels that
have not seen traffic in a configurable interval to be
automatically closed. Different timeouts may be applied to session,
[28 lines not shown]ssh: update to OpenSSH 9.2p1
Release notes are available at https://www.openssh.com/txt/release-9.2
OpenSSH 9.2 contains fixes for two security problems and a memory safety
problem. The memory safety problem is not believed to be exploitable.
These fixes have already been committed to OpenSSH 9.1 in FreeBSD.
Some other notable items from the release notes:
* ssh(1): add a new EnableEscapeCommandline ssh_config(5) option that
controls whether the client-side ~C escape sequence that provides a
command-line is available. Among other things, the ~C command-line
could be used to add additional port-forwards at runtime.
* sshd(8): add support for channel inactivity timeouts via a new
sshd_config(5) ChannelTimeout directive. This allows channels that
have not seen traffic in a configurable interval to be
automatically closed. Different timeouts may be applied to session,
[27 lines not shown]ssh: update to OpenSSH 9.2p1
Release notes are available at https://www.openssh.com/txt/release-9.2
OpenSSH 9.2 contains fixes for two security problems and a memory safety
problem. The memory safety problem is not believed to be exploitable.
These fixes have already been committed to OpenSSH 9.1 in FreeBSD.
Some other notable items from the release notes:
* ssh(1): add a new EnableEscapeCommandline ssh_config(5) option that
controls whether the client-side ~C escape sequence that provides a
command-line is available. Among other things, the ~C command-line
could be used to add additional port-forwards at runtime.
* sshd(8): add support for channel inactivity timeouts via a new
sshd_config(5) ChannelTimeout directive. This allows channels that
have not seen traffic in a configurable interval to be
automatically closed. Different timeouts may be applied to session,
[25 lines not shown]FreeBSD/src 50cb877 — crypto/openssh ChangeLog moduli, crypto/openssh/openbsd-compat arc4random.c
ssh: update to OpenSSH 9.1p1
Release notes are available at https://www.openssh.com/txt/release-9.1
9.1 contains fixes for three minor memory safety problems; these have
lready been merged to the copy of OpenSSH 9.0 that is in the FreeBSD base
system.
Some highlights copied from the release notes:
Potentially-incompatible changes
--------------------------------
* ssh(1), sshd(8): SetEnv directives in ssh_config and sshd_config
are now first-match-wins to match other directives. Previously
if an environment variable was multiply specified the last set
value would have been used. bz3438
* ssh-keygen(8): ssh-keygen -A (generate all default host key types)
[51 lines not shown]FreeBSD/src 4aee715 — crypto/openssh ChangeLog moduli, crypto/openssh/openbsd-compat arc4random.c
ssh: update to OpenSSH 9.1p1
Release notes are available at https://www.openssh.com/txt/release-9.1
9.1 contains fixes for three minor memory safety problems; these have
lready been merged to the copy of OpenSSH 9.0 that is in the FreeBSD base
system.
Some highlights copied from the release notes:
Potentially-incompatible changes
--------------------------------
* ssh(1), sshd(8): SetEnv directives in ssh_config and sshd_config
are now first-match-wins to match other directives. Previously
if an environment variable was multiply specified the last set
value would have been used. bz3438
* ssh-keygen(8): ssh-keygen -A (generate all default host key types)
[48 lines not shown]FreeBSD/src 75f9d5c — crypto/openssh ChangeLog moduli, crypto/openssh/openbsd-compat arc4random.c
ssh: update to OpenSSH 9.1p1
Release notes are available at https://www.openssh.com/txt/release-9.1
9.1 contains fixes for three minor memory safety problems; these have
lready been merged to the copy of OpenSSH 9.0 that is in the FreeBSD base
system.
Some highlights copied from the release notes:
Potentially-incompatible changes
--------------------------------
* ssh(1), sshd(8): SetEnv directives in ssh_config and sshd_config
are now first-match-wins to match other directives. Previously
if an environment variable was multiply specified the last set
value would have been used. bz3438
* ssh-keygen(8): ssh-keygen -A (generate all default host key types)
[47 lines not shown]