+++ This bug was initially created as a clone of Bug #32641 +++ That CVE was announced here: https://www.openwall.com/lists/oss-security/2023/12/18/3 https://www.openwall.com/lists/oss-security/2023/12/19/5 https://www.openwall.com/lists/oss-security/2023/12/20/3 ruby-net-ssh is likely affected, too, the net-ssh gem 7.2.0 for Ruby is listed in the Description here https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-48795 However, I can't find a bug report about it, there is only one older security issue listed here: https://github.com/net-ssh/net-ssh/labels/security Nor anything in the 7.2.1 rc1 changelog about it being fixed https://github.com/net-ssh/net-ssh/blob/master/CHANGES.txt
CVE: (none) => CVE-2023-48795Whiteboard: (none) => MGA9TOOAssignee: bugsquad => pkg-bugs
Blocks: (none) => 32748
Blocks: 32748 => (none)
Adding the flag: affects_mga9 + to all bugs with MGA9TOO on the whiteboard, without removing MGA9TOO (for now).
Flags: (none) => affects_mga9+
Re-signing to pterjan, because he was the last one to touch this package. @ Pascal, I don't see an open or closed issue about CVE-2023-48795 in https://github.com/net-ssh/net-ssh/issues Wasn't it affected?
Assignee: pkg-bugs => pterjan
From the announcement this affects ChaCha20-Poly1305 and Encrypt-then-MAC, and when using Encrypt-then-MAC, it requires using CBC. ruby-net-ssh started supporting ChaCha20-Poly1305 in 7.2.0, and only if RbNaCl is installed so we don't have it enabled even in cauldron. It has however supported Encrypt-then-MAC for a long time (since 2.9.0 in 2014): * Added HMACs: hmac-sha2-512-etm@openssh.com hmac-sha2-256-etm@openssh.com umac-128-etm@openssh.com
Based on https://github.com/net-ssh/net-ssh?tab=readme-ov-file#encryption-algorithms-ciphers all CBC cyphers are deprecated and disabled by default since 6.0, so Encrypt-then-MAC would not be impacted either.