-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.0847
                    network-manager-ssh security update
                               10 March 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           network-manager-ssh
Publisher:         Debian
Operating System:  Debian GNU/Linux 9
                   Debian GNU/Linux 10
                   UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Execute Arbitrary Code/Commands -- Existing Account
                   Increased Privileges            -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-9355  

Original Bulletin: 
   http://www.debian.org/security/2020/dsa-4637

Comment: This advisory references vulnerabilities in products which run on 
         platforms other than Debian. It is recommended that administrators 
         running network-manager-ssh check for an updated version of the 
         software for their operating system.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-4637-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
March 09, 2020                        https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : network-manager-ssh
CVE ID         : CVE-2020-9355

Kobus van Schoor discovered that network-manager-ssh, a plugin to
provide VPN integration for SSH in NetworkManager, is prone to a
privilege escalation vulnerability. A local user with privileges to
modify a connection can take advantage of this flaw to execute arbitrary
commands as root.

This update drops support to pass extra SSH options to the ssh
invocation.

For the oldstable distribution (stretch), this problem has been fixed
in version 1.2.1-1+deb9u1.

For the stable distribution (buster), this problem has been fixed in
version 1.2.10-1+deb10u1.

We recommend that you upgrade your network-manager-ssh packages.

For the detailed security status of network-manager-ssh please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/network-manager-ssh

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl5mobtfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0RvFA//Xj5V8SOWlWVkhh38GSk3yEkyGsGnZHxtUw10GilQtwVnviwagqcOLv+P
QTSW6oQUVPykp7ZSEE0yRZIz+Z8en6tcFySbOdUgp2BMAzw6EN8mJ/bUUAPDJccB
r9UnNr9knWS01szMWenwiBC8U+xtNymAoA8bpOLxuiSVAjMQSYakAnKNt8QOcC/O
AZ0O9jRnqLxr1BoN2+wDFnAaSttLwNvZUN2uLWGt858ws8PbhZlBpxwdzvANPeAJ
mgVPLNbgFa2v2/ycQXuqrr2qsAM5+fAROh/Bm8+xvT17RKGcB9hfM5NQLPiTqf7+
ZfaeJ3vjjuGBx+eMWJKqfju7mBCgS84pqdD6tgQwuESzCx49nV107B3cDrQlfUG5
rRxdyvigjepr+sVE1wLHXYyIENRceZAon7R/eZeD3uWfI7MT31ADv0gA2WTioiJe
QSVzAjTRcyOaDP6G/pOAEoONbbx3PQSoDTY2+koO2DIofUfbA8wuyCZoDoeUVs/N
8/QEpT0wWX6Hg9JxVyZZCDrK9mcZbBcBDzk69Tk+y5VAOQ5TB3n3jTAkNCNFt8vM
WTJ5C6rCTrou9XLG33iOLm66BE38DfE/Me7V8iWEgss1wUUF6DD9U09gV6v2IeCZ
MOyLgD8VGqkhGlVecMW+v3DVpQCa9BFnL+72qgXgpvdhut8/FhE=
=nBt0
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXmb8UGaOgq3Tt24GAQhpsg/+KwnMHOZ0AseKIgBYAZf970qiSgz+9UlM
WGmGL71sDmm6IdestJc5AKYzKEoMqtl//fvCoh0QldEWwvYfEPYGicKd5tWu2xKa
WPVrOfFNdjQ3BQ6/Cewk8NTpgDNtlFXKL+sRhiZ9DoImqgXpeN57l8UjSmiRmHQ+
yR3OaGhn6pSddxRZqRUgm6UQ9UCgME43Fc9RpBajx7bKvGMDf374AShJ69gaKllN
HpUyI36QWco6WFY0IHLjvcjZPi0mKJwDx+EcPdO30GAJz8w02zvRwQG8XKu7I8Cj
CSersSr8+EUc4/mt2uLFOnAxv+hQuRN1r3jQ9iGMU18+oUsu9s0AXk1b8lXuELpu
O6VqVnMD4NpdB0K2rZIJgwZRtqewasXnMQT7pfBuvfd1XZsMdGp1+qjGweVvjQ0W
I/8hU2UCMOfH+DbPh27gNRyW3q3T4N10PdEvwg0Ec8PlecnIV7OS1KjHQm8Blfdf
3eSWWrW5woBNhxWKbqmzLrpzQ2tRayJIv7E2AAxT6Sor4mCPgwLRLJ7D6JooLKA/
XWzDGxtVIqym9xqbtHfmvDNlDU1y5XK0eMEyHJ+okBaqLOb9x+RaTTC7Z6FwV8Xc
+/3vdGNmOLwLDrTeuAbCvNhEASTobYltyK4RpbA7QTnX4sVNkOGCCSL7yHMLbYY9
kss9kn+6hQc=
=G1zg
-----END PGP SIGNATURE-----