From cf66a45b8ddea345fd90dc735103bc983c3478b8 Mon Sep 17 00:00:00 2001
From: xumia <59720581+xumia@users.noreply.github.com>
Date: Thu, 19 Oct 2023 06:52:26 +0800
Subject: [PATCH] [Security] Upgrade the OpenSSL/OpenSSH to fix CVE alerts
 (#16902)

### Why I did it
[Security] Upgrade the OpenSSL/OpenSSH to fix CVE alerts

Upgrade OpenSSL to 1.1.1n-0+deb11u5
Fix CVEs:
      CVE-2023-0464 (Excessive Resource Usage Verifying X.509 Policy
      CVE-2023-0465 (Invalid certificate policies in leaf certificates are
      CVE-2023-0466 (Certificate policy check not enabled).
      CVE-2022-4304 (Timing Oracle in RSA Decryption).
      CVE-2023-2650 (Possible DoS translating ASN.1 object identifiers).

Upgrade OpenSSH to 8.4p1-5+deb11u2
Fix CVEs:
    CVE-2023-38408 (Lacks SSH agent restriction)

##### Work item tracking
- Microsoft ADO **(number only)**: 25506776

#### How I did it
Upgrade the OpenSSL/OpenSSH package version and fix the UT failure.

#### How to verify it
Verified by UTs with and without FIPS enabled.
---
 rules/sonic-fips.mk | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/rules/sonic-fips.mk b/rules/sonic-fips.mk
index e53f8e5c4c82..62f7ea44aee8 100644
--- a/rules/sonic-fips.mk
+++ b/rules/sonic-fips.mk
@@ -1,8 +1,8 @@
 # fips packages
 
-FIPS_VERSION = 0.8
-FIPS_OPENSSL_VERSION = 1.1.1n-0+deb11u4+fips
-FIPS_OPENSSH_VERSION = 8.4p1-5+deb11u1+fips
+FIPS_VERSION = 0.9
+FIPS_OPENSSL_VERSION = 1.1.1n-0+deb11u5+fips
+FIPS_OPENSSH_VERSION = 8.4p1-5+deb11u2+fips
 FIPS_PYTHON_MAIN_VERSION = 3.9
 FIPS_PYTHON_VERSION = 3.9.2-1+fips
 FIPS_GOLANG_MAIN_VERSION = 1.15