Source: tinyssh Version: 20230101-3 Severity: important Tags: security upstream Forwarded: https://github.com/janmojzis/tinyssh/issues/81 X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for tinyssh. CVE-2023-48795[0]: | The SSH transport protocol with certain OpenSSH extensions, found in | OpenSSH before 9.6 and other products, allows remote attackers to | bypass integrity checks such that some packets are omitted (from the | extension negotiation message), and a client and server may | consequently end up with a connection for which some security | features have been downgraded or disabled, aka a Terrapin attack. | This occurs because the SSH Binary Packet Protocol (BPP), | implemented by these extensions, mishandles the handshake phase and | mishandles use of sequence numbers. For example, there is an | effective attack against SSH's use of ChaCha20-Poly1305 (and CBC | with Encrypt-then-MAC). The bypass occurs in | chacha20-poly1...@openssh.com and (if CBC is used) the | -e...@openssh.com MAC algorithms. This also affects Maverick Synergy | Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh | before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before | 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, | libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera | Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo | before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense | CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD 1.3.9rc1, ORYX | CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, | CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, the | mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library | before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust; | and there could be effects on Bitvise SSH through 9.31. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-48795 https://www.cve.org/CVERecord?id=CVE-2023-48795 [1] https://github.com/janmojzis/tinyssh/issues/81 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
