Hi!
While setting up a new VIOS, I tried to check it.
If have the following patches installed:
As you can see I have the ifixes from advisory16 installed (and am still on openssh 8.x)
Using the FLRTVC I get the following shown regarding openssh:
As you can see both advisory15 and advisory16 are shown as fixed.
Hope that helps,
Alexander
------------------------------
Alexander Reichle-Schmehl
------------------------------
Original Message:
Sent: Tue May 14, 2024 04:40 AM
From: Esa Kärkkäinen
Subject: Questions regarding OpenSSH advisories 15 and 16
Hello,
Welp that's one problem when the job of parsing advisories has been outsourced to a parser I wrote.
The other datapoint is apar.csv parsed by flrtvc.ksh reports that the fixes from OpenSSH advisories15 and 16 must be installed simultanously.
N.B. the output from the commands has been redacted to contain only OpenSSH related information.
lslpp -l openssh.\* Fileset Level State Description ----------------------------------------------------------------------------Path: /usr/lib/objrepos openssh.base.client 9.2.112.2000 COMMITTED Open Secure Shell Commands EFIXLOCKED openssh.base.server 9.2.112.2000 COMMITTED Open Secure Shell Server EFIXLOCKED openssh.license 9.2.112.2000 COMMITTED Open Secure Shell License openssh.man.en_US 9.2.112.2000 COMMITTED Open Secure Shell Documentation - U.S. EnglishPath: /etc/objrepos openssh.base.client 9.2.112.2000 COMMITTED Open Secure Shell Commands EFIXLOCKED openssh.base.server 9.2.112.2000 COMMITTED Open Secure Shell Server EFIXLOCKED# emgr -PPACKAGE INSTALLER LABEL======================================================== =========== ==========openssh.base.client installp 92112maopenssh.base.server installp 92112ma# flrtvc.kshFileset|Current Version|Type|EFix Installed|Abstract|Unsafe Versions|APARs|Bulletin URL|Download URL|CVSS Base Score|Reboot Required|Last Update|Fixed Inopenssh.base.client|9.2.112.2000|sec||NOT FIXED - AIX is vulnerable to unauthorized file access and arbitrary code execution due to OpenSSH|9.2.112.0-9.2.112.2000|38408m9a / 38408m9b / 38408m9c / 81112ma / 92112ma / CVE-2023-38408 / CVE-2023-40371|https://aix.software.ibm.com/aix/efixes/security/openssh_advisory15.asc|https://aix.software.ibm.com/aix/efixes/security/openssh_fix15.tar|CVE-2023-38408:8.1 CVE-2023-40371:6.2|NO|08/23/2023|See Bulletinopenssh.base.server|9.2.112.2000|sec||NOT FIXED - AIX is vulnerable to unauthorized file access and arbitrary code execution due to OpenSSH|9.2.112.0-9.2.112.2000|38408m9a / 38408m9b / 38408m9c / 81112ma / 92112ma / CVE-2023-38408 / CVE-2023-40371|https://aix.software.ibm.com/aix/efixes/security/openssh_advisory15.asc|https://aix.software.ibm.com/aix/efixes/security/openssh_fix15.tar|CVE-2023-38408:8.1 CVE-2023-40371:6.2|NO|08/23/2023|See Bulletin#
------------------------------
Esa Kärkkäinen
Original Message:
Sent: Tue May 14, 2024 04:07 AM
From: Alexander Reichle-Schmehl
Subject: Questions regarding OpenSSH advisories 15 and 16
Hi again!
Rereading your post, I see your argument :)
But the new advisories list only the new vulnerabilities it fixes. So installing the fix of advistory16 will not only fix CVE-2023-48795, CVE-2023-51384 and CVE-2023-51385, but as they are cumulative also CVE-2023-38408 and CVE-2023-40371 from advisory 15.
Best regards,
Alexander
------------------------------
Alexander Reichle-Schmehl
Original Message:
Sent: Mon May 13, 2024 04:37 AM
From: Esa Kärkkäinen
Subject: Questions regarding OpenSSH advisories 15 and 16
Hi,
When I looked at openssh_advisory15.asc and openssh_advisory16.asc advisories, it looks like to me that these have fixes for different vulnerabilities, because the advisories don't have same CVE numbers so the ifixes are not cumulative in this case.
openssh_advisory15.asc: CVE-2023-38408 and CVE-2023-40371
openssh_advisory16.asc: CVE-2023-48795, CVE-2023-51384 and CVE-2023-51385
Have I understood this correctly?
And if I have, is there any chance of getting a ifix that fixes all five CVEs?
I'm asking these questions because I cannot install both ifixes at the same time, because these ifixes update same file(s).
------------------------------
Esa Kärkkäinen
------------------------------