CVE-2023-28531

Name	CVE-2023-28531
Description	ssh-add in OpenSSH before 9.3 adds smartcard keys to ssh-agent without the intended per-hop destination constraints. The earliest affected version is 8.9.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs	1033166

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
openssh (PTS)	jessie, jessie (lts)	1:6.7p1-5+deb8u10	fixed
	stretch (security)	1:7.4p1-10+deb9u6	fixed
	stretch (lts), stretch	1:7.4p1-10+deb9u9	fixed
	buster	1:7.9p1-10+deb10u2	fixed
	buster (security)	1:7.9p1-10+deb10u4	fixed
	bullseye (security), bullseye	1:8.4p1-5+deb11u3	fixed
	bookworm (security), bookworm	1:9.2p1-2+deb12u2	fixed
	sid, trixie	1:9.7p1-4	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Debian Bugs
openssh	source	jessie	(not affected)
openssh	source	stretch	(not affected)
openssh	source	buster	(not affected)
openssh	source	bullseye	(not affected)
openssh	source	bookworm	1:9.2p1-2+deb12u2
openssh	source	(unstable)	1:9.3p1-1	1033166

Notes

[bullseye] - openssh <not-affected> (Vulnerable code introduced later; per-hop destination constraints support added in OpenSSH 8.9)
[buster] - openssh <not-affected> (Vulnerable code introduced later; per-hop destination constraints support added in OpenSSH 8.9)
https://github.com/openssh/openssh-portable/commit/54ac4ab2b53ce9fcb66b8250dee91c070e4167ed (V_9_3_P1)
[stretch] - openssh <not-affected> (Vulnerable code introduced later; per-hop desination constraints support added in OpenSSH 8.9)
[jessie] - openssh <not-affected> (Vulnerable code introduced later; per-hop desination constraints support added in OpenSSH 8.9)