Description of problem: See bug 32641 Version-Release number of selected component (if applicable): dropbear-2022.83-2.mga9
Source: dropbear-2022.83-2.1.mga9 RPMS: dropbear-2022.83-2.1.mga9
CVE: (none) => CVE-2023-48795QA Contact: (none) => securityBlocks: (none) => 32641Component: RPM Packages => Security
The submitted package includes this patch: https://github.com/mkj/dropbear/commit/6e43be5c7b99dbee49dc72b6f989f29fdd7e9356
Thank you Yves for picking this one up. Assigning to you... Also for sensibly creating this individual bug for dropbear; which we should do for all the others in the parent bug 32641. Does this not also apply to Cauldron? The parent bug cited that; I have altered this one accordingly. Will it go into Updates_Testing (then to QA, who almost certainly cannot test it beyond a clean update)?
CC: (none) => lewyssmithAssignee: bugsquad => yvesbrungardWhiteboard: (none) => MGA9TOOVersion: 9 => Cauldron
Hi Lewis, I missed to say that cauldron is already updated. And Mageia 9 version is in updates_testing Proposed advisory ================== Parts of the SSH specification are vulnerable to a novel prefix truncation attack (a.k.a. Terrapin attack), which allows a man-in-the-middle attacker to strip an arbitrary number of messages right after the initial key exchange, breaking SSH extension negotiation (RFC8308) in the process and thus downgrading connection security. ### Mitigations To mitigate this protocol vulnerability, OpenSSH suggested a so-called "strict kex" which alters the SSH handshake to ensure a Man-in-the-Middle attacker cannot introduce unauthenticated messages as well as convey sequence number manipulation across handshakes. Support for strict key exchange has been added to a variety of SSH implementations, including OpenSSH itself, PuTTY, libssh, and more. This release includes a patch to implement Strict KEX mode.
Whiteboard: MGA9TOO => (none)Assignee: yvesbrungard => qa-bugsVersion: Cauldron => 9
Advisory from comment 4 with SRPM from comment 1 added to SVN. Please remove the "advisory" keyword if it needs to be changed. It also helps when obsolete advisories are tagged as "obsolete"
Keywords: (none) => advisoryCC: (none) => marja11
MGA9-64 Plasma Wayland on HP Pavillion No installation issues. Ref bug 31119 for testing # systemctl stop sshd.service [root@mach4 ~]# systemctl start dropbear.service [root@mach4 ~]# systemctl -l status dropbear.service ● dropbear.service - Dropbear SSH Server Daemon Loaded: loaded (/usr/lib/systemd/system/dropbear.service; disabled; preset: disabled) Active: active (running) since Wed 2024-01-03 15:00:51 CET; 16s ago Process: 73711 ExecStart=/usr/sbin/dropbear $OPTIONS (code=exited, status=0/SUCCESS) Main PID: 73712 (dropbear) Tasks: 1 (limit: 4480) Memory: 312.0K CPU: 8ms CGroup: /system.slice/dropbear.service └─73712 /usr/sbin/dropbear jan 03 15:00:51 mach4.hviaene.thuis systemd[1]: Starting dropbear.service... jan 03 15:00:51 mach4.hviaene.thuis dropbear[73711]: Failed loading /etc/dropbear/dropbear_ed25519_host_key jan 03 15:00:51 mach4.hviaene.thuis dropbear[73712]: Running in background jan 03 15:00:51 mach4.hviaene.thuis systemd[1]: Started dropbear.service. and then testing as normal user: $ dbclient -o DisableTrivialAuth=yes localhost echo OK Host 'localhost' is not in the trusted hosts file. (ecdsa-sha2-nistp256 fingerprint SHA256:XwlQRhVy6H5ln68J8MPFAEUthAkUrsT8UrFBxaBKLqE) Do you want to continue connecting? (y/n) y tester9@localhost's password: OK So that fullfils the conditions from bug 31119, confirmed by second run which doesn't have the key problem anymore $ dbclient -o DisableTrivialAuth=yes localhost echo OK tester9@localhost's password: OK
CC: (none) => herman.viaeneWhiteboard: (none) => MGA9-64-OK
Validating.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0004.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
Blocks: (none) => 32748
Blocks: 32748 => (none)