Bug 32682 - CVE-2023-48795: Prefix Truncation Attacks in SSH Specification (Terrapin Attack) - ruby-net-ssh
Summary: CVE-2023-48795: Prefix Truncation Attacks in SSH Specification (Terrapin Atta...
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: Cauldron
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: All Packagers
QA Contact: Sec team
URL:
Whiteboard: MGA9TOO
Keywords:
Depends on:
Blocks: 32641
  Show dependency treegraph
 
Reported: 2024-01-02 11:54 CET by Marja Van Waes
Modified: 2024-01-19 16:16 CET (History)
10 users (show)

See Also:
Source RPM: ruby-net-ssh-7.0.1-1.mga9
CVE: CVE-2023-48795
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Marja Van Waes 2024-01-02 11:54:04 CET 
+++ This bug was initially created as a clone of Bug #32641 +++

That CVE was announced here:
https://www.openwall.com/lists/oss-security/2023/12/18/3
https://www.openwall.com/lists/oss-security/2023/12/19/5
https://www.openwall.com/lists/oss-security/2023/12/20/3

ruby-net-ssh is likely affected, too, the net-ssh gem 7.2.0 for Ruby is listed in the Description here https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-48795

However, I can't find a bug report about it, there is only one older security issue listed here:
https://github.com/net-ssh/net-ssh/labels/security

Nor anything in the 7.2.1 rc1 changelog about it being fixed
https://github.com/net-ssh/net-ssh/blob/master/CHANGES.txt
Marja Van Waes 2024-01-02 11:58:25 CET

CVE: (none) => CVE-2023-48795
Assignee: bugsquad => pkg-bugs
Whiteboard: (none) => MGA9TOO

Nicolas Salguero 2024-01-19 16:12:02 CET

Blocks: (none) => 32748

Nicolas Salguero 2024-01-19 16:16:44 CET

Blocks: 32748 => (none)
Note You need to log in before you can comment on or make changes to this bug.