From 7a745dd1aa13fbf110cc4d86ddbc86617975d6ad Mon Sep 17 00:00:00 2001
From: Archana Polampalli <archana.polampalli@windriver.com>
Date: Thu, 28 Dec 2023 06:40:38 +0000
Subject: openssh: fix CVE-2023-51384

In ssh-agent in OpenSSH before 9.6, certain destination constraints can be
incompletely applied. When destination constraints are specified during
addition of PKCS#11-hosted private keys, these constraints are only applied
to the first key, even if a PKCS#11 token returns multiple keys.

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-51384

Upstream patches:
https://github.com/openssh/openssh-portable/commit/881d9c6af9da4257c69c327c4e2f1508b2fa754b

Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-connectivity/openssh/openssh_8.9p1.bb | 1 +
 1 file changed, 1 insertion(+)

(limited to 'meta/recipes-connectivity/openssh/openssh_8.9p1.bb')

diff --git a/meta/recipes-connectivity/openssh/openssh_8.9p1.bb b/meta/recipes-connectivity/openssh/openssh_8.9p1.bb
index 7ad9bced1b..3860899540 100644
--- a/meta/recipes-connectivity/openssh/openssh_8.9p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_8.9p1.bb
@@ -34,6 +34,7 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar
            file://CVE-2023-38408-0004.patch \
            file://fix-authorized-principals-command.patch \
            file://CVE-2023-48795.patch \
+           file://CVE-2023-51384.patch \
            "
 SRC_URI[sha256sum] = "fd497654b7ab1686dac672fb83dfb4ba4096e8b5ffcdaccd262380ae58bec5e7"
 
-- 
cgit 1.2.3-korg