Bug 32673 - CVE-2023-48795: Prefix Truncation Attacks in SSH Specification (Terrapin Attack) - jsch
Summary: CVE-2023-48795: Prefix Truncation Attacks in SSH Specification (Terrapin Atta...
Status: RESOLVED INVALID
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: Cauldron
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: Nicolas Lécureuil
QA Contact: Sec team
URL:
Whiteboard: MGA9TOO
Keywords:
Depends on:
Blocks: 32641
  Show dependency treegraph
 
Reported: 2023-12-31 18:11 CET by Marja Van Waes
Modified: 2024-04-04 09:43 CEST (History)
7 users (show)

See Also:
Source RPM: jsch-0.1.55-8.mga9
CVE: CVE-2023-48795
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Marja Van Waes 2023-12-31 18:11:27 CET 
+++ This bug was initially created as a clone of Bug #32641 +++

That CVE was announced here:
https://www.openwall.com/lists/oss-security/2023/12/18/3
https://www.openwall.com/lists/oss-security/2023/12/19/5
https://www.openwall.com/lists/oss-security/2023/12/20/3

Many SSH implementations that are packaged in Mageia are affected:
<snip>
  - jsch
Other than the SPEC file says, jsch seems to live in github nowadays and 0.2.15 is the version with the fix for CVE-48795
https://github.com/mwiede/jsch/releases/tag/jsch-0.2.15
Marja Van Waes 2023-12-31 18:13:28 CET

Whiteboard: (none) => MGA9TOO

Marja Van Waes 2024-01-02 12:00:26 CET

CVE: (none) => CVE-2023-48795

Nicolas Salguero 2024-01-19 16:12:02 CET

Blocks: (none) => 32748

Nicolas Salguero 2024-01-19 16:16:44 CET

Blocks: 32748 => (none)

Comment 1 Nicolas Salguero 2024-04-04 09:43:34 CEST 
According to https://security-tracker.debian.org/tracker/CVE-2023-48795, our version is not affected because:
  - ChaCha20-Poly1305 support was introduced in 0.1.61;
  - *-EtM support was introduced in 0.1.58.

Resolution: (none) => INVALID
Status: NEW => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.