The latest release of OpenSSH, version 9.3, addresses two security vulnerabilities along with minor bug fixes. The first vulnerability involves smart card keys added to the SSH agent, with a previously added restriction logic error that failed to communicate the restrictions to the agent. This prevented the restrictions from being active when applied to hosts and users. The second vulnerability occurs with Portable OpenSSH, and a fallback function called getrrsetbyname that triggers an out of bounds read on the stack when manipulated DNS responses occur, resulting in a crash. Although OpenSSH maintainers are working to address all memory errors that can be provoked from the network, it is unlikely that the second vulnerability can be exploited to perform other malicious activities.
Apart from the two vulnerabilities, OpenSSH 9.3 also has new features and bug fixes. ssh-keygen and ssh-keyscan, for example, can now select hash algorithms with the -Ohashald=sha1|sha256 option. IT managers should quickly check whether the updated sources are available through git and download mirrors, or some distributions may offer updated packages with their own software management.
In February, OpenSSH 9.2 addressed two other security vulnerabilities, though there were no CVE entries or concrete risk assessments available. While updating software is crucial to maintain the security of the system, it is important to ensure that the newest version offers better protection for users.
