Bug 32674

Summary: CVE-2023-48795: Prefix Truncation Attacks in SSH Specification (Terrapin Attack) - golang-x-crypto
Product: Mageia Reporter: Marja Van Waes <marja11>
Component: SecurityAssignee: All Packagers <pkg-bugs>
Status: NEW --- QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: geiger.david68210, lewyssmith, marja11, nicolas.salguero, pkg-bugs, security, yvesbrungard
Version: Cauldron   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA9TOO
Source RPM: golang-x-crypto-0-6.mga9 CVE: CVE-2023-48795
Status comment:
Bug Depends on:    
Bug Blocks: 32641    

Description Marja Van Waes 2023-12-31 18:18:51 CET 
+++ This bug was initially created as a clone of Bug #32641 +++

That CVE was announced here:
https://www.openwall.com/lists/oss-security/2023/12/18/3
https://www.openwall.com/lists/oss-security/2023/12/19/5
https://www.openwall.com/lists/oss-security/2023/12/20/3

Many SSH implementations that are packaged in Mageia are affected:
<snip>
  - golang-x-crypto-0-6.mga9
Should be fixed in v. 0.17.0 https://pkg.go.dev/golang.org/x/crypto@v0.17.0 but I don't find the changelog.
Marja Van Waes 2023-12-31 18:19:06 CET

Whiteboard: (none) => MGA9TOO

Comment 1 papoteur 2024-01-01 10:32:37 CET 
I have updated golang-x-crypto in cauldron to 0.17.0 which includes the fix, according to https://groups.google.com/g/golang-announce/c/qA3XtxvMUyg
As it provides golang-x-crypto-devel which are source files, does it mean that all packages which depend of it have to be rebuild? And then dependencies thereof?

In Mageia 9:
urpmq --whatrequires golang-x-crypto-devel
golang-github-azure-autorest
golang-github-azure-autorest-devel
golang-github-azure-sdk
golang-github-azure-sdk-devel
golang-github-cloudflare-circl-devel
golang-github-coreos-pkg
golang-github-coreos-pkg-devel
golang-github-elithrar-simple-scrypt
golang-github-elithrar-simple-scrypt-devel
golang-github-git-5-devel
golang-github-gliderlabs-ssh
golang-github-gliderlabs-ssh-devel
golang-github-gobuffalo-logger
golang-github-gobuffalo-logger-devel
golang-github-google-devel
golang-github-gophercloud
golang-github-gophercloud-devel
golang-github-gopherjs-devel
golang-github-howeyc-gopass
golang-github-howeyc-gopass-devel
golang-github-jcmturner-gokrb5
golang-github-jcmturner-gokrb5-devel
golang-github-labstack-echo-4
golang-github-labstack-echo-4-devel
golang-github-masterminds-sprig
golang-github-masterminds-sprig-devel
golang-github-minio
golang-github-minio-devel
golang-github-nats-io-nkeys
golang-github-nats-io-nkeys-devel
golang-github-nats-io-server-devel
golang-github-pkg-sftp
golang-github-pkg-sftp-devel
golang-github-playground-validator-10-devel
golang-github-playground-validator-v10
golang-github-prometheus-exporter-toolkit
golang-github-prometheus-exporter-toolkit-devel
golang-github-protonmail-crypto-devel
golang-github-sagikazarmark-crypt
golang-github-sagikazarmark-crypt-devel
golang-github-schollz-progressbar-3
golang-github-schollz-progressbar-3-devel
golang-github-shopify-toxiproxy
golang-github-shopify-toxiproxy-devel
golang-github-spf13-afero
golang-github-xanzy-ssh-agent
golang-github-xanzy-ssh-agent-devel
golang-github-xdg-scram
golang-github-xdg-scram-devel
golang-google-grpc
golang-google-grpc-devel
golang-gopkg-jcmturner-gokrb5-5
golang-gopkg-jcmturner-gokrb5-5-devel
golang-gopkg-jcmturner-gokrb5-7
golang-gopkg-jcmturner-gokrb5-7-devel
golang-gopkg-macaron-1
golang-gopkg-macaron-1-devel
golang-gopkg-src-d-git-4
golang-gopkg-src-d-git-4-devel
golang-mongodb-mongo-driver
golang-mongodb-mongo-driver-devel
golang-x-build
golang-x-build-devel
golang-x-crypto-devel
golang-x-exp-devel
golang-x-mod
golang-x-mod-devel
nats-server
restic
Marja Van Waes 2024-01-02 12:00:08 CET

CVE: (none) => CVE-2023-48795

Nicolas Salguero 2024-01-19 16:12:02 CET

Blocks: (none) => 32748

Nicolas Salguero 2024-01-19 16:16:44 CET

Blocks: 32748 => (none)