deadsimple BSD Security Advisories and Announcements

OpenBSD Errata: September 27, 2021 (sshd)

An errata patch for sshd(8) has been released for OpenBSD 6.8 and
OpenBSD 6.9.

  sshd(8) from OpenSSH 6.2 (OpenBSD 5.3) through 8.7 (OpenBSD 6.9) failed to
  correctly initialise supplemental groups when executing an
  AuthorizedKeysCommand or AuthorizedPrincipalsCommand, where a
  AuthorizedKeysCommandUser or AuthorizedPrincipalsCommandUser directive has
  been set to run the command as a different user. Instead these commands
  would inherit the groups that sshd(8) was started with.

  Depending on system configuration, inherited groups may allow
  AuthorizedKeysCommand/AuthorizedPrincipalsCommand helper programs to gain
  unintended privilege.

  Neither AuthorizedKeysCommand nor AuthorizedPrincipalsCommand are enabled
  by default in sshd_config(5).

Binary updates for the amd64, i386 and arm64 platform are available
via the syspatch utility.  Source code patches can be found on the
respective errata page: