Source: python-asyncssh
Version: 2.23.0-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for python-asyncssh.
CVE-2026-54590[0]:
| AsyncSSH is a Python package which provides an asynchronous client
| and server implementation of the SSHv2 protocol on top of the Python
| asyncio framework. Version 2.23.0 contains an incomplete fix for
| CVE-2026-45309 in SSHServerConfig._set_tokens that blocks /, , and
| .. before %u substitution in AuthorizedKeysFile but does not block a
| leading ~ or ${ENV}, allowing later expansion in _expand_val and
| Path(filename).expanduser() to escape the intended authorized-keys
| directory. This issue is fixed in version 2.23.1.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-54590
https://www.cve.org/CVERecord?id=CVE-2026-54590
[1] https://github.com/ronf/asyncssh/security/advisories/GHSA-qr67-gv47-xwwh
[2]
https://github.com/ronf/asyncssh/commit/3d515ba9ba0cd9990d248bdf62bcf05d51261a88
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore