That CVE was announced here: https://www.openwall.com/lists/oss-security/2023/12/18/3 https://www.openwall.com/lists/oss-security/2023/12/19/5 https://www.openwall.com/lists/oss-security/2023/12/20/3 Many SSH implementations that are packaged in Mageia are affected: - dropbear (https://github.com/mkj/dropbear/commit/6e43be5c7b99dbee49dc72b6f989f29fdd7e9356) - erlang (Erlang ssh 5.1.1) - golang-x-crypto (0.17.0) - libssh (0.10.6 and 0.9.8) - libssh2 (https://github.com/libssh2/libssh2/pull/1291) - OpenSSH (9.6) - putty (0.80) - jsch (0.2.15) - proftpd (open bug: https://github.com/proftpd/proftpd/issues/1760) - apache-sshd - trilead-ssh2 Other implementations are affected. I did not find them into Mageia but maybe I missed them: - AsyncSSH (2.14.2) - Paramiko (3.4.0) - russh (0.40.2) - SFTPGo (2.5.6) - ssh2 [node.js/npm] (1.15.0) - Tera Term (5.1) - Thrussh (0.35.1) - Apache Mina (open bug: https://github.com/apache/mina-sshd/issues/445) - SSHJ (open bug: https://github.com/hierynomus/sshj/issues/916) - Java SSH - tinyssh - rubygem-net-ssh - rust libssh2-sys
Whiteboard: (none) => MGA9TOO
Depends on: (none) => 32644
Thank you Nicolas for the detailed research about Mageia. Résumé: From the 3 openwall URLs, noting just those pkgs Nicolas identified in comment 0 as being in Mageia: Already dealt with: - Dropbear git: https://github.com/mkj/dropbear/commit/6e43be5c7b99dbee49dc72b6f989f29fdd7e9356 - Erlang ssh 5.1.1: https://www.erlang.org/doc/apps/ssh/notes - golang.org/x/crypto 0.17.0: https://groups.google.com/g/golang-announce/c/qA3XtxvMUyg - libssh 0.10.6 and 0.9.8: https://www.libssh.org/2023/12/18/libssh-0-10-6-and-libssh-0-9-8-security-releases/ - libssh2 git: https://github.com/libssh2/libssh2/issues/1290 https://github.com/libssh2/libssh2/pull/1291 - OpenSSH 9.6: https://www.openssh.com/txt/release-9.6 - PuTTY 0.80: https://lists.tartarus.org/pipermail/putty-announce/2023/000037.html - Jsch (Java SSH): release 0.2.15 fixes it https://github.com/mwiede/jsch/releases/tag/jsch-0.2.15 ? fixed (3rd URL, after Jsch): - apache-sshd and - trilead-ssh2 as Java SSH implementations are affected In progres: - ProFTPD (mod_sftp): https://github.com/proftpd/proftpd/issues/1760 I imagine that packages fixed upstream will be fixed with us. Be careful about noting which have been done. This is worth copying here for information: "### Mitigations To mitigate this protocol vulnerability, OpenSSH suggested a so-called "strict kex" which alters the SSH handshake to ensure a Man-in-the-Middle attacker cannot introduce unauthenticated messages as well as convey sequence number manipulation across handshakes. Support for strict key exchange has been added to a variety of SSH implementations, including OpenSSH itself, PuTTY, libssh, and more. **Warning: To take effect, both the client and server must support this countermeasure.**"
Assignee: bugsquad => pkg-bugs
Depends on: (none) => 32656
Depends on: (none) => 32660CC: (none) => yvesbrungard
Depends on: (none) => 32662
This bug really needs to become a TRACKER for the different bits, each having its own bug as Yves has sensibly done for dropbear bug 32656. CC'ing Marja for advice about this.
CC: (none) => lewyssmith, marja11
(In reply to Lewis Smith from comment #2) > This bug really needs to become a TRACKER for the different bits, each > having its own bug as Yves has sensibly done for dropbear bug 32656. > CC'ing Marja for advice about this. Papoteur opened at least one more bug report, about erlang, but 32670, I'll check whether more were opened
Depends on: (none) => 32670Keywords: (none) => TRACKERSummary: CVE-2023-48795: Prefix Truncation Attacks in SSH Specification (Terrapin Attack) => [TRACKER] CVE-2023-48795: Prefix Truncation Attacks in SSH Specification (Terrapin Attack)
Depends on: (none) => 32671
Depends on: (none) => 32672
Depends on: (none) => 32673
Depends on: (none) => 32674
Depends on: (none) => 32675
Depends on: (none) => 32676
(In reply to Nicolas Salguero from comment #0) > That CVE was announced here: > https://www.openwall.com/lists/oss-security/2023/12/18/3 > https://www.openwall.com/lists/oss-security/2023/12/19/5 > https://www.openwall.com/lists/oss-security/2023/12/20/3 > > Many SSH implementations that are packaged in Mageia are affected: bug 32656 - dropbear (https://github.com/mkj/dropbear/commit/6e43be5c7b99dbee49dc72b6f989f29fdd7e9356) bug 32670 - erlang (Erlang ssh 5.1.1) bug 32674 - golang-x-crypto (0.17.0) bug 32660 - libssh (0.10.6 and 0.9.8) bug 32662 - libssh2 (https://github.com/libssh2/libssh2/pull/1291) bug 32671 - OpenSSH (9.6) bug 32672 - putty (0.80) bug 32673 - jsch (0.2.15) bug 32644 - proftpd (open bug: https://github.com/proftpd/proftpd/issues/1760) bug 32675 - apache-sshd bug 32676 - trilead-ssh2 > > Other implementations are affected. I did not find them into Mageia but > maybe I missed them: They still need to be checked. However, about this one: > - Apache Mina (open bug: https://github.com/apache/mina-sshd/issues/445) I understand that is the same as appache-sshd, because, from a changelog mail: Name : apache-sshd Relocations: (not relocatable) Version : 2.8.0 Vendor: Mageia.Org Release : 1.mga9 Build Date: Wed 03 Aug 2022 12:39:12 AM CEST Install Date: (not installed) Build Host: localhost Group : Development/Java Source RPM: (none) Size : 1634333 License: ASL 2.0 and ISC Signature : (none) Packager : neoclust <neoclust> URL : http://mina.apache.org/sshd-project Summary : Apache SSHD
https://www.openwall.com/lists/oss-security/2023/12/20/3 Isn't rubygem-net-ssh our ruby-net-ssh? CC'ing bcornec and pterjan, who were the last ones to push it.
CC: (none) => bruno, pterjan
Depends on: (none) => 32682
(In reply to Marja Van Waes from comment #5) > https://www.openwall.com/lists/oss-security/2023/12/20/3 > > Isn't rubygem-net-ssh our ruby-net-ssh? > bug 32682 was filed for ruby-net-ssh
Blocks: (none) => 32748
Depends on: (none) => 32748Blocks: 32748 => (none)
bug 32748 was filed for filezilla