> On Sep 4, 2024, at 7:26 PM, James Watt <crispy.james.w...@gmail.com> wrote: > > Hi, > we have detected that your project of release/14.0 is vulnerable to the > CVE-2023-51384 which is caused by the lower version of openssh, maybe you > need to update it? > > Best regards, > James >
Hi James, We (secteam) try to avoid wholesale upgrade of OpenSSH in our release branches. As such, we take a risk-based approach on what we pull into the tree. Given this particular CVE is related to ssh-agent with a specific set of circumstances (multiple PKCS#11 keys with destination constraints), we opted not to publish an update for it. Users who want to defend from this particular CVE could either use the OpenSSH from ports/pkg or directly upgrade to 14.1-RELEASE. Lastly, given that 14.0-RELEASE is going out of support at the end of this month, this will be overcome by events pretty shortly. On an unrelated note, your note says that “we” have detected the old version. Out of curiosity, do you represent a broader organization? Your email address being hosted on gmail.com <http://gmail.com/> makes it difficult to know. Thanks, Gordon Hat: security-officer
signature.asc
Description: Message signed with OpenPGP
