Bug 1218214 (CVE-2023-51384)

Summary: VUL-0: CVE-2023-51384: openssh: incomplete constraints during addition of PKCS#11-hosted private keys
Product: [Novell Products] SUSE Security Incidents Reporter: SMASH SMASH <smash_bz>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: abergmann, meissner, stoyan.manolov
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/388572/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-51384:4.4:(AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2023-12-19 13:51:12 UTC 
In ssh-agent in OpenSSH before 9.6, certain destination constraints can be incompletely applied. When destination constraints are specified during addition of PKCS#11-hosted private keys, these constraints are only applied to the first key, even if a PKCS#11 token returns multiple keys.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-51384
Comment 2 Marcus Meissner 2024-02-12 09:54:48 UTC 
also ALP is affected

submit to:
SUSE:ALP:Source:Standard:1.0 openssh
Comment 5 Marcus Meissner 2024-05-21 09:08:00 UTC 
as the feature was only added in recent openssh versions, the security problem does not apply to earlier versions than 9.3p1