Package: openssh-client Version: 1:9.2p1-2+deb12u2 Severity: normal X-Debbugs-Cc: t...@security.debian.org
Dear Maintainer, Following the upgrade of the openssh-client and related packages to 1:9.2p1-2+deb12u2, ssh connections to Oracle Linux 8.9 systems running their openssh server package 8.0p1-19.el8_9.2 have started to fail with: Bad packet length 2605177462. ssh_dispatch_run_fatal: Connection to REDACTED port 22: Connection corrupted The number after "Bad packet length" changes with each connection attempt. With the u1 version of openssh-client it was possible to connect to these systems. Specifying that the aes256-...@openssh.com cipher be used rather than the chacha20-poly1...@openssh.com works around the problem. On the Oracle side, the openssh server package has recent changes related to a couple of CVEs that may be relevant: - Forbid shell metasymbols in username/hostname Resolves: CVE-2023-51385 - Fix Terrapin attack Resolves: CVE-2023-48795 -- System Information: Debian Release: 12.4 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 6.1.0-13-amd64 (SMP w/2 CPU threads; PREEMPT) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages openssh-client depends on: ii adduser 3.134 ii libc6 2.36-9+deb12u4 ii libedit2 3.1-20221030-2 ii libfido2-1 1.12.0-2+b1 ii libgssapi-krb5-2 1.20.1-2+deb12u1 ii libselinux1 3.4-1+b6 ii libssl3 3.0.11-1~deb12u2 ii passwd 1:4.13+dfsg1-1+b1 ii zlib1g 1:1.2.13.dfsg-1 Versions of packages openssh-client recommends: ii xauth 1:1.1.2-1 Versions of packages openssh-client suggests: pn keychain <none> pn libpam-ssh <none> pn monkeysphere <none> pn ssh-askpass <none> -- no debconf information
