summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--debian/.gitlab-ci.yml9
-rw-r--r--debian/changelog31
-rw-r--r--debian/patches/CVE-2021-41617-1.patch35
-rw-r--r--debian/patches/CVE-2021-41617-2.patch26
-rw-r--r--debian/patches/CVE-2023-48795-buster.patch12
-rw-r--r--debian/patches/CVE-2023-48795.patch490
-rw-r--r--debian/patches/CVE-2023-51385.patch94
-rw-r--r--debian/patches/series5
-rw-r--r--debian/salsa-ci.yml9
9 files changed, 702 insertions, 9 deletions
diff --git a/debian/.gitlab-ci.yml b/debian/.gitlab-ci.yml
deleted file mode 100644
index 4816152..0000000
--- a/debian/.gitlab-ci.yml
+++ /dev/null
@@ -1,9 +0,0 @@
-include:
- - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/recipes/debian.yml
-
-variables:
- RELEASE: 'buster'
- SALSA_CI_COMPONENTS: 'main contrib non-free'
- SALSA_CI_DISABLE_REPROTEST: 1
- SALSA_CI_DISABLE_LINTIAN: 1
- SALSA_CI_DISABLE_PIUPARTS: 1
diff --git a/debian/changelog b/debian/changelog
index 0e30cc0..d219da9 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,34 @@
+openssh (1:7.9p1-10+deb10u4) buster-security; urgency=medium
+
+ * Non-maintainer upload by the LTS Team.
+ * Rename debian/.gitlab-ci.yml to debian/salsa-ci.yml and use
+ lts-team/pipeline recipe for buster in it.
+ * [CVE-2023-48795] ssh(1), sshd(8): implement protocol extensions to
+ thwart the so-called "Terrapin attack" discovered by Fabian Bäumer,
+ Marcus Brinkmann and Jörg Schwenk. This attack allows a MITM to effect
+ a limited break of the integrity of the early encrypted SSH transport
+ protocol by sending extra messages prior to the commencement of
+ encryption, and deleting an equal number of consecutive messages
+ immediately after encryption starts. A peer SSH client/server would
+ not be able to detect that messages were deleted.
+ * [CVE-2023-51385] ssh(1): if an invalid user or hostname that contained
+ shell metacharacters was passed to ssh(1), and a ProxyCommand,
+ LocalCommand directive or "match exec" predicate referenced the user
+ or hostname via %u, %h or similar expansion token, then an attacker
+ who could supply arbitrary user/hostnames to ssh(1) could potentially
+ perform command injection depending on what quoting was present in the
+ user-supplied ssh_config(5) directive. ssh(1) now bans most shell
+ metacharacters from user and hostnames supplied via the command-line.
+ * [CVE-2021-41617]: sshd(8) from OpenSSH 6.2 through 8.7 failed to
+ correctly initialise supplemental groups when executing an
+ AuthorizedKeysCommand or AuthorizedPrincipalsCommand, where a
+ AuthorizedKeysCommandUser or AuthorizedPrincipalsCommandUser directive
+ has been set to run the command as a different user. Instead these
+ commands would inherit the groups that sshd(8) was started with
+ (closes: #995130).
+
+ -- Santiago Ruano Rincón <santiago@freexian.com> Sun, 24 Dec 2023 15:39:13 -0500
+
openssh (1:7.9p1-10+deb10u3) buster-security; urgency=high
* Non-maintainer upload.
diff --git a/debian/patches/CVE-2021-41617-1.patch b/debian/patches/CVE-2021-41617-1.patch
new file mode 100644
index 0000000..042c9bc
--- /dev/null
+++ b/debian/patches/CVE-2021-41617-1.patch
@@ -0,0 +1,35 @@
+From ad2748dee50e4c0040f6efda5eff4a34e4eb5b85 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Sun, 26 Sep 2021 14:01:03 +0000
+Subject: upstream: need initgroups() before setresgid(); reported by anton@,
+
+ok deraadt@
+
+OpenBSD-Commit-ID: 6aa003ee658b316960d94078f2a16edbc25087ce
+
+Bug-Debian: https://bugs.debian.org/995130
+Origin: backport, https://anongit.mindrot.org/openssh.git/commit/?id=f3cbe43e28fe71427d41cfe3a17125b972710455
+Last-Update: 2023-12-19
+
+Patch-Name: CVE-2021-41617-1.patch
+---
+ auth.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+Index: openssh/auth.c
+===================================================================
+--- openssh.orig/auth.c
++++ openssh/auth.c
+@@ -866,6 +866,12 @@ subprocess(const char *tag, struct passw
+ }
+ closefrom(STDERR_FILENO + 1);
+
++ if (geteuid() == 0 &&
++ initgroups(pw->pw_name, pw->pw_gid) == -1) {
++ error("%s: initgroups(%s, %u): %s", tag,
++ pw->pw_name, (u_int)pw->pw_gid, strerror(errno));
++ _exit(1);
++ }
+ /* Don't use permanently_set_uid() here to avoid fatal() */
+ if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) != 0) {
+ error("%s: setresgid %u: %s", tag, (u_int)pw->pw_gid,
diff --git a/debian/patches/CVE-2021-41617-2.patch b/debian/patches/CVE-2021-41617-2.patch
new file mode 100644
index 0000000..62a066b
--- /dev/null
+++ b/debian/patches/CVE-2021-41617-2.patch
@@ -0,0 +1,26 @@
+From 0afd6ea47554dee40d1eaf33fa73d693fb661e64 Mon Sep 17 00:00:00 2001
+From: Damien Miller <djm@mindrot.org>
+Date: Mon, 27 Sep 2021 00:03:19 +1000
+Subject: initgroups needs grp.h
+
+Bug-Debian: https://bugs.debian.org/995130
+Origin: backport, https://anongit.mindrot.org/openssh.git/commit/?id=bf944e3794eff5413f2df1ef37cddf96918c6bde
+Last-Update: 2023-12-19
+
+Patch-Name: CVE-2021-41617-2.patch
+---
+ auth.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/auth.c b/auth.c
+index 32870851b..88578ec45 100644
+--- a/auth.c
++++ b/auth.c
+@@ -39,6 +39,7 @@
+ # include <paths.h>
+ #endif
+ #include <pwd.h>
++#include <grp.h>
+ #ifdef HAVE_LOGIN_H
+ #include <login.h>
+ #endif
diff --git a/debian/patches/CVE-2023-48795-buster.patch b/debian/patches/CVE-2023-48795-buster.patch
new file mode 100644
index 0000000..6a53c5d
--- /dev/null
+++ b/debian/patches/CVE-2023-48795-buster.patch
@@ -0,0 +1,12 @@
+Index: openssh/kex.c
+===================================================================
+--- openssh.orig/kex.c
++++ openssh/kex.c
+@@ -630,6 +630,7 @@ kex_new(struct ssh *ssh, char *proposal[
+ }
+ if ((r = kex_prop2buf(kex->my, proposal)) != 0)
+ goto out;
++ kex->flags = KEX_INITIAL;
+ kex->done = 0;
+ kex_reset_dispatch(ssh);
+ ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, &kex_input_kexinit);
diff --git a/debian/patches/CVE-2023-48795.patch b/debian/patches/CVE-2023-48795.patch
new file mode 100644
index 0000000..3495099
--- /dev/null
+++ b/debian/patches/CVE-2023-48795.patch
@@ -0,0 +1,490 @@
+From 802a7af111c9ddb438ca4fd8c5cc35534e199fda Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Mon, 18 Dec 2023 14:45:17 +0000
+Subject: upstream: implement "strict key exchange" in ssh and sshd
+
+This adds a protocol extension to improve the integrity of the SSH
+transport protocol, particular in and around the initial key exchange
+(KEX) phase.
+
+Full details of the extension are in the PROTOCOL file.
+
+with markus@
+
+OpenBSD-Commit-ID: 2a66ac962f0a630d7945fee54004ed9e9c439f14
+
+Origin: backport, https://anongit.mindrot.org/openssh.git/commit/?id=1edb00c58f8a6875fad6a497aa2bacf37f9e6cd5
+Last-Update: 2023-12-21
+
+Patch-Name: CVE-2023-48795.patch
+---
+ PROTOCOL | 26 +++++++++++++++++
+ kex.c | 68 ++++++++++++++++++++++++++++++++-----------
+ kex.h | 1 +
+ packet.c | 80 ++++++++++++++++++++++++++++++++++++++-------------
+ sshconnect2.c | 14 +++------
+ sshd.c | 8 ++++--
+ 6 files changed, 149 insertions(+), 48 deletions(-)
+
+Index: openssh/PROTOCOL
+===================================================================
+--- openssh.orig/PROTOCOL
++++ openssh/PROTOCOL
+@@ -102,6 +102,32 @@ OpenSSH supports the use of ECDH in Curv
+ described at:
+ http://git.libssh.org/users/aris/libssh.git/plain/doc/curve25519-sha256@libssh.org.txt?h=curve25519
+
++1.9 transport: strict key exchange extension
++
++OpenSSH supports a number of transport-layer hardening measures under
++a "strict KEX" feature. This feature is signalled similarly to the
++RFC8308 ext-info feature: by including a additional algorithm in the
++initiial SSH2_MSG_KEXINIT kex_algorithms field. The client may append
++"kex-strict-c-v00@openssh.com" to its kex_algorithms and the server
++may append "kex-strict-s-v00@openssh.com". These pseudo-algorithms
++are only valid in the initial SSH2_MSG_KEXINIT and MUST be ignored
++if they are present in subsequent SSH2_MSG_KEXINIT packets.
++
++When an endpoint that supports this extension observes this algorithm
++name in a peer's KEXINIT packet, it MUST make the following changes to
++the the protocol:
++
++a) During initial KEX, terminate the connection if any unexpected or
++ out-of-sequence packet is received. This includes terminating the
++ connection if the first packet received is not SSH2_MSG_KEXINIT.
++ Unexpected packets for the purpose of strict KEX include messages
++ that are otherwise valid at any time during the connection such as
++ SSH2_MSG_DEBUG and SSH2_MSG_IGNORE.
++b) After sending or receiving a SSH2_MSG_NEWKEYS message, reset the
++ packet sequence number to zero. This behaviour persists for the
++ duration of the connection (i.e. not just the first
++ SSH2_MSG_NEWKEYS).
++
+ 2. Connection protocol changes
+
+ 2.1. connection: Channel write close extension "eow@openssh.com"
+Index: openssh/kex.c
+===================================================================
+--- openssh.orig/kex.c
++++ openssh/kex.c
+@@ -59,7 +59,7 @@
+ #endif
+
+ /* prototype */
+-static int kex_choose_conf(struct ssh *);
++static int kex_choose_conf(struct ssh *, uint32_t seq);
+ static int kex_input_newkeys(int, u_int32_t, struct ssh *);
+
+ static const char *proposal_names[PROPOSAL_MAX] = {
+@@ -179,6 +179,18 @@ kex_names_valid(const char *names)
+ return 1;
+ }
+
++/* returns non-zero if proposal contains any algorithm from algs */
++static int
++has_any_alg(const char *proposal, const char *algs)
++{
++ char *cp;
++
++ if ((cp = match_list(proposal, algs, NULL)) == NULL)
++ return 0;
++ free(cp);
++ return 1;
++}
++
+ /*
+ * Concatenate algorithm names, avoiding duplicates in the process.
+ * Caller must free returned string.
+@@ -186,7 +198,7 @@ kex_names_valid(const char *names)
+ char *
+ kex_names_cat(const char *a, const char *b)
+ {
+- char *ret = NULL, *tmp = NULL, *cp, *p, *m;
++ char *ret = NULL, *tmp = NULL, *cp, *p;
+ size_t len;
+
+ if (a == NULL || *a == '\0')
+@@ -203,10 +215,8 @@ kex_names_cat(const char *a, const char
+ }
+ strlcpy(ret, a, len);
+ for ((p = strsep(&cp, ",")); p && *p != '\0'; (p = strsep(&cp, ","))) {
+- if ((m = match_list(ret, p, NULL)) != NULL) {
+- free(m);
++ if (has_any_alg(ret, p))
+ continue; /* Algorithm already present */
+- }
+ if (strlcat(ret, ",", len) >= len ||
+ strlcat(ret, p, len) >= len) {
+ free(tmp);
+@@ -396,7 +406,12 @@ kex_protocol_error(int type, u_int32_t s
+ {
+ int r;
+
+- error("kex protocol error: type %d seq %u", type, seq);
++ /* If in strict mode, any unexpected message is an error */
++ if ((ssh->kex->flags & KEX_INITIAL) && ssh->kex->kex_strict) {
++ ssh_packet_disconnect(ssh, "strict KEX violation: "
++ "unexpected packet type %u (seqnr %u)", type, seq);
++ }
++ error("%s: type %u seq %u", __func__, type, seq);
+ if ((r = sshpkt_start(ssh, SSH2_MSG_UNIMPLEMENTED)) != 0 ||
+ (r = sshpkt_put_u32(ssh, seq)) != 0 ||
+ (r = sshpkt_send(ssh)) != 0)
+@@ -443,11 +458,11 @@ kex_send_newkeys(struct ssh *ssh)
+ (r = sshpkt_send(ssh)) != 0)
+ return r;
+ debug("SSH2_MSG_NEWKEYS sent");
+- debug("expecting SSH2_MSG_NEWKEYS");
+ ssh_dispatch_set(ssh, SSH2_MSG_NEWKEYS, &kex_input_newkeys);
+- if (ssh->kex->ext_info_c)
++ if (ssh->kex->ext_info_c && (ssh->kex->flags & KEX_INITIAL) != 0)
+ if ((r = kex_send_ext_info(ssh)) != 0)
+ return r;
++ debug("expecting SSH2_MSG_NEWKEYS");
+ return 0;
+ }
+
+@@ -465,6 +480,11 @@ kex_input_ext_info(int type, u_int32_t s
+ ssh_dispatch_set(ssh, SSH2_MSG_EXT_INFO, &kex_protocol_error);
+ if ((r = sshpkt_get_u32(ssh, &ninfo)) != 0)
+ return r;
++ if (ninfo >= 1024) {
++ error("SSH2_MSG_EXT_INFO with too many entries, expected "
++ "<=1024, received %u", ninfo);
++ return dispatch_protocol_error(type, seq, ssh);
++ }
+ for (i = 0; i < ninfo; i++) {
+ if ((r = sshpkt_get_cstring(ssh, &name, NULL)) != 0)
+ return r;
+@@ -503,6 +523,7 @@ kex_input_newkeys(int type, u_int32_t se
+ if ((r = ssh_set_newkeys(ssh, MODE_IN)) != 0)
+ return r;
+ kex->done = 1;
++ kex->flags &= ~KEX_INITIAL;
+ sshbuf_reset(kex->peer);
+ /* sshbuf_reset(kex->my); */
+ kex->flags &= ~KEX_INIT_SENT;
+@@ -554,7 +575,7 @@ kex_input_kexinit(int type, u_int32_t se
+ if (kex == NULL)
+ return SSH_ERR_INVALID_ARGUMENT;
+
+- ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, NULL);
++ ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, &kex_protocol_error);
+ ptr = sshpkt_ptr(ssh, &dlen);
+ if ((r = sshbuf_put(kex->peer, ptr, dlen)) != 0)
+ return r;
+@@ -584,7 +605,7 @@ kex_input_kexinit(int type, u_int32_t se
+ if (!(kex->flags & KEX_INIT_SENT))
+ if ((r = kex_send_kexinit(ssh)) != 0)
+ return r;
+- if ((r = kex_choose_conf(ssh)) != 0)
++ if ((r = kex_choose_conf(ssh, seq)) != 0)
+ return r;
+
+ if (kex->kex_type < KEX_MAX && kex->kex[kex->kex_type] != NULL)
+@@ -832,7 +853,13 @@ proposals_match(char *my[PROPOSAL_MAX],
+ }
+
+ static int
+-kex_choose_conf(struct ssh *ssh)
++kexalgs_contains(char **peer, const char *ext)
++{
++ return has_any_alg(peer[PROPOSAL_KEX_ALGS], ext);
++}
++
++static int
++kex_choose_conf(struct ssh *ssh, uint32_t seq)
+ {
+ struct kex *kex = ssh->kex;
+ struct newkeys *newkeys;
+@@ -857,13 +884,23 @@ kex_choose_conf(struct ssh *ssh)
+ sprop=peer;
+ }
+
+- /* Check whether client supports ext_info_c */
+- if (kex->server) {
+- char *ext;
+-
+- ext = match_list("ext-info-c", peer[PROPOSAL_KEX_ALGS], NULL);
+- kex->ext_info_c = (ext != NULL);
+- free(ext);
++ /* Check whether peer supports ext_info/kex_strict */
++ if ((kex->flags & KEX_INITIAL) != 0) {
++ if (kex->server) {
++ kex->ext_info_c = kexalgs_contains(peer, "ext-info-c");
++ kex->kex_strict = kexalgs_contains(peer,
++ "kex-strict-c-v00@openssh.com");
++ } else {
++ kex->kex_strict = kexalgs_contains(peer,
++ "kex-strict-s-v00@openssh.com");
++ }
++ if (kex->kex_strict) {
++ debug3("will use strict KEX ordering");
++ if (seq != 0)
++ ssh_packet_disconnect(ssh,
++ "strict KEX violation: "
++ "KEXINIT was not the first packet");
++ }
+ }
+
+ /* Algorithm Negotiation */
+Index: openssh/kex.h
+===================================================================
+--- openssh.orig/kex.h
++++ openssh/kex.h
+@@ -107,6 +107,7 @@ enum kex_exchange {
+ };
+
+ #define KEX_INIT_SENT 0x0001
++#define KEX_INITIAL 0x0002
+
+ struct sshenc {
+ char *name;
+@@ -145,6 +146,7 @@ struct kex {
+ u_int kex_type;
+ char *server_sig_algs;
+ int ext_info_c;
++ int kex_strict;
+ struct sshbuf *my;
+ struct sshbuf *peer;
+ sig_atomic_t done;
+Index: openssh/packet.c
+===================================================================
+--- openssh.orig/packet.c
++++ openssh/packet.c
+@@ -1162,8 +1162,13 @@ ssh_packet_send2_wrapped(struct ssh *ssh
+ sshbuf_dump(state->output, stderr);
+ #endif
+ /* increment sequence number for outgoing packets */
+- if (++state->p_send.seqnr == 0)
++ if (++state->p_send.seqnr == 0) {
++ if ((ssh->kex->flags & KEX_INITIAL) != 0) {
++ ssh_packet_disconnect(ssh, "outgoing sequence number "
++ "wrapped during initial key exchange");
++ }
+ logit("outgoing seqnr wraps around");
++ }
+ if (++state->p_send.packets == 0)
+ if (!(ssh->compat & SSH_BUG_NOREKEY))
+ return SSH_ERR_NEED_REKEY;
+@@ -1171,6 +1176,12 @@ ssh_packet_send2_wrapped(struct ssh *ssh
+ state->p_send.bytes += len;
+ sshbuf_reset(state->outgoing_packet);
+
++ if (type == SSH2_MSG_NEWKEYS && ssh->kex->kex_strict) {
++ debug("%s: resetting send seqnr %u", __func__,
++ state->p_send.seqnr);
++ state->p_send.seqnr = 0;
++ }
++
+ if (type == SSH2_MSG_NEWKEYS)
+ r = ssh_set_newkeys(ssh, MODE_OUT);
+ else if (type == SSH2_MSG_USERAUTH_SUCCESS && state->server_side)
+@@ -1304,8 +1315,7 @@ ssh_packet_read_seqnr(struct ssh *ssh, u
+ /* Stay in the loop until we have received a complete packet. */
+ for (;;) {
+ /* Try to read a packet from the buffer. */
+- r = ssh_packet_read_poll_seqnr(ssh, typep, seqnr_p);
+- if (r != 0)
++ if ((r = ssh_packet_read_poll_seqnr(ssh, typep, seqnr_p)) != 0)
+ break;
+ /* If we got a packet, return it. */
+ if (*typep != SSH_MSG_NONE)
+@@ -1592,10 +1602,16 @@ ssh_packet_read_poll2(struct ssh *ssh, u
+ if ((r = sshbuf_consume(state->input, mac->mac_len)) != 0)
+ goto out;
+ }
++
+ if (seqnr_p != NULL)
+ *seqnr_p = state->p_read.seqnr;
+- if (++state->p_read.seqnr == 0)
++ if (++state->p_read.seqnr == 0) {
++ if ((ssh->kex->flags & KEX_INITIAL) != 0) {
++ ssh_packet_disconnect(ssh, "incoming sequence number "
++ "wrapped during initial key exchange");
++ }
+ logit("incoming seqnr wraps around");
++ }
+ if (++state->p_read.packets == 0)
+ if (!(ssh->compat & SSH_BUG_NOREKEY))
+ return SSH_ERR_NEED_REKEY;
+@@ -1661,6 +1677,11 @@ ssh_packet_read_poll2(struct ssh *ssh, u
+ #endif
+ /* reset for next packet */
+ state->packlen = 0;
++ if (*typep == SSH2_MSG_NEWKEYS && ssh->kex->kex_strict) {
++ debug("%s: resetting read seqnr %u", __func__,
++ state->p_read.seqnr);
++ state->p_read.seqnr = 0;
++ }
+
+ /* do we need to rekey? */
+ if (ssh_packet_need_rekeying(ssh, 0)) {
+@@ -1685,10 +1706,39 @@ ssh_packet_read_poll_seqnr(struct ssh *s
+ r = ssh_packet_read_poll2(ssh, typep, seqnr_p);
+ if (r != 0)
+ return r;
+- if (*typep) {
+- state->keep_alive_timeouts = 0;
+- DBG(debug("received packet type %d", *typep));
++ if (*typep == 0) {
++ /* no message ready */
++ return 0;
++ }
++ state->keep_alive_timeouts = 0;
++ DBG(debug("received packet type %d", *typep));
++
++ /* Always process disconnect messages */
++ if (*typep == SSH2_MSG_DISCONNECT) {
++ if ((r = sshpkt_get_u32(ssh, &reason)) != 0 ||
++ (r = sshpkt_get_string(ssh, &msg, NULL)) != 0)
++ return r;
++ /* Ignore normal client exit notifications */
++ do_log2(ssh->state->server_side &&
++ reason == SSH2_DISCONNECT_BY_APPLICATION ?
++ SYSLOG_LEVEL_INFO : SYSLOG_LEVEL_ERROR,
++ "Received disconnect from %s port %d:"
++ "%u: %.400s", ssh_remote_ipaddr(ssh),
++ ssh_remote_port(ssh), reason, msg);
++ free(msg);
++ return SSH_ERR_DISCONNECTED;
+ }
++
++ /*
++ * Do not implicitly handle any messages here during initial
++ * KEX when in strict mode. They will be need to be allowed
++ * explicitly by the KEX dispatch table or they will generate
++ * protocol errors.
++ */
++ if (ssh->kex != NULL &&
++ (ssh->kex->flags & KEX_INITIAL) && ssh->kex->kex_strict)
++ return 0;
++ /* Implicitly handle transport-level messages */
+ switch (*typep) {
+ case SSH2_MSG_IGNORE:
+ debug3("Received SSH2_MSG_IGNORE");
+@@ -1703,19 +1753,6 @@ ssh_packet_read_poll_seqnr(struct ssh *s
+ debug("Remote: %.900s", msg);
+ free(msg);
+ break;
+- case SSH2_MSG_DISCONNECT:
+- if ((r = sshpkt_get_u32(ssh, &reason)) != 0 ||
+- (r = sshpkt_get_string(ssh, &msg, NULL)) != 0)
+- return r;
+- /* Ignore normal client exit notifications */
+- do_log2(ssh->state->server_side &&
+- reason == SSH2_DISCONNECT_BY_APPLICATION ?
+- SYSLOG_LEVEL_INFO : SYSLOG_LEVEL_ERROR,
+- "Received disconnect from %s port %d:"
+- "%u: %.400s", ssh_remote_ipaddr(ssh),
+- ssh_remote_port(ssh), reason, msg);
+- free(msg);
+- return SSH_ERR_DISCONNECTED;
+ case SSH2_MSG_UNIMPLEMENTED:
+ if ((r = sshpkt_get_u32(ssh, &seqnr)) != 0)
+ return r;
+@@ -2173,6 +2210,7 @@ kex_to_blob(struct sshbuf *m, struct kex
+ (r = sshbuf_put_u32(m, kex->hostkey_type)) != 0 ||
+ (r = sshbuf_put_u32(m, kex->hostkey_nid)) != 0 ||
+ (r = sshbuf_put_u32(m, kex->kex_type)) != 0 ||
++ (r = sshbuf_put_u32(m, kex->kex_strict)) != 0 ||
+ (r = sshbuf_put_stringb(m, kex->my)) != 0 ||
+ (r = sshbuf_put_stringb(m, kex->peer)) != 0 ||
+ (r = sshbuf_put_u32(m, kex->flags)) != 0 ||
+@@ -2339,6 +2377,7 @@ kex_from_blob(struct sshbuf *m, struct k
+ (r = sshbuf_get_u32(m, (u_int *)&kex->hostkey_type)) != 0 ||
+ (r = sshbuf_get_u32(m, (u_int *)&kex->hostkey_nid)) != 0 ||
+ (r = sshbuf_get_u32(m, &kex->kex_type)) != 0 ||
++ (r = sshbuf_get_u32(m, &kex->kex_strict)) != 0 ||
+ (r = sshbuf_get_stringb(m, kex->my)) != 0 ||
+ (r = sshbuf_get_stringb(m, kex->peer)) != 0 ||
+ (r = sshbuf_get_u32(m, &kex->flags)) != 0 ||
+@@ -2664,6 +2703,7 @@ sshpkt_disconnect(struct ssh *ssh, const
+ vsnprintf(buf, sizeof(buf), fmt, args);
+ va_end(args);
+
++ debug2("%s: sending SSH2_MSG_DISCONNECT: %s", __func__, buf);
+ if ((r = sshpkt_start(ssh, SSH2_MSG_DISCONNECT)) != 0 ||
+ (r = sshpkt_put_u32(ssh, SSH2_DISCONNECT_PROTOCOL_ERROR)) != 0 ||
+ (r = sshpkt_put_cstring(ssh, buf)) != 0 ||
+Index: openssh/sshconnect2.c
+===================================================================
+--- openssh.orig/sshconnect2.c
++++ openssh/sshconnect2.c
+@@ -170,7 +170,8 @@ ssh_kex2(char *host, struct sockaddr *ho
+ xxx_host = host;
+ xxx_hostaddr = hostaddr;
+
+- if ((s = kex_names_cat(options.kex_algorithms, "ext-info-c")) == NULL)
++ if ((s = kex_names_cat(options.kex_algorithms,
++ "ext-info-c,kex-strict-c-v00@openssh.com")) == NULL)
+ fatal("%s: kex_names_cat", __func__);
+ myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(s);
+ myproposal[PROPOSAL_ENC_ALGS_CTOS] =
+@@ -351,7 +352,6 @@ struct cauthmethod {
+ };
+
+ int input_userauth_service_accept(int, u_int32_t, struct ssh *);
+-int input_userauth_ext_info(int, u_int32_t, struct ssh *);
+ int input_userauth_success(int, u_int32_t, struct ssh *);
+ int input_userauth_success_unexpected(int, u_int32_t, struct ssh *);
+ int input_userauth_failure(int, u_int32_t, struct ssh *);
+@@ -468,7 +468,7 @@ ssh_userauth2(const char *local_user, co
+
+ ssh->authctxt = &authctxt;
+ ssh_dispatch_init(ssh, &input_userauth_error);
+- ssh_dispatch_set(ssh, SSH2_MSG_EXT_INFO, &input_userauth_ext_info);
++ ssh_dispatch_set(ssh, SSH2_MSG_EXT_INFO, kex_input_ext_info);
+ ssh_dispatch_set(ssh, SSH2_MSG_SERVICE_ACCEPT, &input_userauth_service_accept);
+ ssh_dispatch_run_fatal(ssh, DISPATCH_BLOCK, &authctxt.success); /* loop until success */
+ ssh->authctxt = NULL;
+@@ -514,13 +514,6 @@ input_userauth_service_accept(int type,
+ return r;
+ }
+
+-/* ARGSUSED */
+-int
+-input_userauth_ext_info(int type, u_int32_t seqnr, struct ssh *ssh)
+-{
+- return kex_input_ext_info(type, seqnr, ssh);
+-}
+-
+ void
+ userauth(Authctxt *authctxt, char *authlist)
+ {
+@@ -600,6 +593,7 @@ input_userauth_success(int type, u_int32
+ free(authctxt->methoddata);
+ authctxt->methoddata = NULL;
+ authctxt->success = 1; /* break out */
++ ssh_dispatch_set(ssh, SSH2_MSG_EXT_INFO, dispatch_protocol_error);
+ return 0;
+ }
+
+Index: openssh/sshd.c
+===================================================================
+--- openssh.orig/sshd.c
++++ openssh/sshd.c
+@@ -2360,10 +2360,13 @@ do_ssh2_kex(void)
+ {
+ char *myproposal[PROPOSAL_MAX] = { KEX_SERVER };
+ struct kex *kex;
++ char *s;
+ int r;
+
+- myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
+- options.kex_algorithms);
++ if ((s = kex_names_cat(options.kex_algorithms,
++ "kex-strict-s-v00@openssh.com")) == NULL)
++ fatal("%s: kex_names_cat", __func__);
++ myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(s);
+ myproposal[PROPOSAL_ENC_ALGS_CTOS] = compat_cipher_proposal(
+ options.ciphers);
+ myproposal[PROPOSAL_ENC_ALGS_STOC] = compat_cipher_proposal(
+@@ -2469,6 +2472,7 @@ do_ssh2_kex(void)
+ packet_send();
+ packet_write_wait();
+ #endif
++ free(s);
+ debug("KEX done");
+ }
+
diff --git a/debian/patches/CVE-2023-51385.patch b/debian/patches/CVE-2023-51385.patch
new file mode 100644
index 0000000..9a35c37
--- /dev/null
+++ b/debian/patches/CVE-2023-51385.patch
@@ -0,0 +1,94 @@
+From 2bea7434c9fad19f017846adad0e995d8da00642 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Mon, 18 Dec 2023 14:47:44 +0000
+Subject: upstream: ban user/hostnames with most shell metacharacters
+
+This makes ssh(1) refuse user or host names provided on the
+commandline that contain most shell metacharacters.
+
+Some programs that invoke ssh(1) using untrusted data do not filter
+metacharacters in arguments they supply. This could create
+interactions with user-specified ProxyCommand and other directives
+that allow shell injection attacks to occur.
+
+It's a mistake to invoke ssh(1) with arbitrary untrusted arguments,
+but getting this stuff right can be tricky, so this should prevent
+most obvious ways of creating risky situations. It however is not
+and cannot be perfect: ssh(1) has no practical way of interpreting
+what shell quoting rules are in use and how they interact with the
+user's specified ProxyCommand.
+
+To allow configurations that use strange user or hostnames to
+continue to work, this strictness is applied only to names coming
+from the commandline. Names specified using User or Hostname
+directives in ssh_config(5) are not affected.
+
+feedback/ok millert@ markus@ dtucker@ deraadt@
+
+OpenBSD-Commit-ID: 3b487348b5964f3e77b6b4d3da4c3b439e94b2d9
+
+Origin: backport, https://anongit.mindrot.org/openssh.git/commit/?id=7ef3787c84b6b524501211b11a26c742f829af1a
+Last-Update: 2023-12-19
+
+Patch-Name: CVE-2023-51385.patch
+---
+ ssh.c | 39 +++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 39 insertions(+)
+
+Index: openssh/ssh.c
+===================================================================
+--- openssh.orig/ssh.c
++++ openssh/ssh.c
+@@ -573,6 +573,41 @@ set_addrinfo_port(struct addrinfo *addrs
+ }
+ }
+
++static int
++valid_hostname(const char *s)
++{
++ size_t i;
++
++ if (*s == '-')
++ return 0;
++ for (i = 0; s[i] != 0; i++) {
++ if (strchr("'`\"$\\;&<>|(){}", s[i]) != NULL ||
++ isspace((u_char)s[i]) || iscntrl((u_char)s[i]))
++ return 0;
++ }
++ return 1;
++}
++
++static int
++valid_ruser(const char *s)
++{
++ size_t i;
++
++ if (*s == '-')
++ return 0;
++ for (i = 0; s[i] != 0; i++) {
++ if (strchr("'`\";&<>|(){}", s[i]) != NULL)
++ return 0;
++ /* Disallow '-' after whitespace */
++ if (isspace((u_char)s[i]) && s[i + 1] == '-')
++ return 0;
++ /* Disallow \ in last position */
++ if (s[i] == '\\' && s[i + 1] == '\0')
++ return 0;
++ }
++ return 1;
++}
++
+ /*
+ * Main program for the ssh client.
+ */
+@@ -1034,6 +1069,10 @@ main(int ac, char **av)
+ if (!host)
+ usage();
+
++ if (!valid_hostname(host))
++ fatal("hostname contains invalid characters");
++ if (options.user != NULL && !valid_ruser(options.user))
++ fatal("remote username contains invalid characters");
+ host_arg = xstrdup(host);
+
+ #ifdef WITH_OPENSSL
diff --git a/debian/patches/series b/debian/patches/series
index 2aca60f..75c3342 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -37,3 +37,8 @@ sandbox-seccomp-ipc.patch
bug2918.patch
CVE-2023-38408-1.patch
CVE-2023-38408-3.patch
+CVE-2023-48795.patch
+CVE-2023-48795-buster.patch
+CVE-2023-51385.patch
+CVE-2021-41617-1.patch
+CVE-2021-41617-2.patch
diff --git a/debian/salsa-ci.yml b/debian/salsa-ci.yml
new file mode 100644
index 0000000..1193ada
--- /dev/null
+++ b/debian/salsa-ci.yml
@@ -0,0 +1,9 @@
+---
+include:
+ - https://salsa.debian.org/lts-team/pipeline/raw/master/recipes/buster.yml
+
+variables:
+ - SALSA_CI_COMPONENTS: 'main contrib non-free'
+ - SALSA_CI_DISABLE_REPROTEST: 1
+ - SALSA_CI_DISABLE_LINTIAN: 1
+ - SALSA_CI_DISABLE_PIUPARTS: 1