I've worked during January 2024 on the below listed packages, for Freexian LTS/ELTS [1]
Many thanks to Freexian and sponsors [2] for providing this opportunity! LTS and ELTS - paramiko - CVE-2023-48795 Unfortunatly only _after_ backporting the patch for CVE-2023-48795 (terrapin) and fighting with the test suite with a while, I figured out that there is a tool to check for SSH implementations [3] and that gave me additional glues that paramiko might not be vulnerable to terrapin. So I've then reached out to upstream [4] and got confirmation that this is indeed true: Paramiko in buster does not implement the vulnerable ciphers (and it also does not support EXT_INFO, which might be relvant if someone wants to exploit terrapin -- but I'm not 100% sure about that part) If it is true that EXT_INFO is required to exploit, this would also mean that bookworm is not vulnerable. [3] https://github.com/RUB-NDS/Terrapin-Scanner/releases/tag/v1.1.0 [4] https://github.com/paramiko/paramiko/issues/2337#issuecomment-1880185735 FWWIW, I've put the backport on a dedicated branch, tobi_backport_strict_key on the LTS repo, in case this is found to be useful in the future. (Basically this should enable strict KEX support, but will for sure require more testing.) LTS and ELTS - zabbix LTS: DLA-3717-1 CVE-2023-32721 CVE-2023-32723 CVE-2023-32726 ELTS: ELA-1041-1 CVE-2023-32721 CVE-2023-32726 The work on zabbix included also triaging of several CVEs that have been marked as being vulnerable in LTS and ELTS, but some of them were introduced only in later versions than the one in buster, stretch and jessie. This was the case for CVE-2023-32725, CVE-2023-32727 and CVE-2023-32728. The code involving LDAP Manangement, which was the code around CVE-2023-32723 has been significantly changed in buster, therefore the patch could not be applied to the ELTS suites. The code has been changed so much, that I could not determine if the present code is vulnerable at all. The code base has changed to a model-view-controller in later versions, so I did not find a way to backport the fix, or even verify if it needs fixing at all. -- tobi [1] https://www.freexian.com/lts/ [2] https://www.freexian.com/lts/debian/#sponsors Cheers, -- tobi
signature.asc
Description: PGP signature
