Your message dated Sun, 18 Aug 2024 11:55:31 +0000
with message-id <[email protected]>
and subject line Bug#1059007: fixed in python-asyncssh 2.15.0-1
has caused the Debian Bug report #1059007,
regarding python-asyncssh: CVE-2023-48795
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1059007: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1059007
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: python-asyncssh
Version: 2.10.1-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for python-asyncssh.
CVE-2023-48795[0]:
| The SSH transport protocol with certain OpenSSH extensions, found in
| OpenSSH before 9.6 and other products, allows remote attackers to
| bypass integrity checks such that some packets are omitted (from the
| extension negotiation message), and a client and server may
| consequently end up with a connection for which some security
| features have been downgraded or disabled, aka a Terrapin attack.
| This occurs because the SSH Binary Packet Protocol (BPP),
| implemented by these extensions, mishandles the handshake phase and
| mishandles use of sequence numbers. For example, there is an
| effective attack against SSH's use of ChaCha20-Poly1305 (and CBC
| with Encrypt-then-MAC). The bypass occurs in
| [email protected] and (if CBC is used) the
| [email protected] MAC algorithms. This also affects Maverick Synergy
| Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh
| before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before
| 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, and
| libssh2 through 1.11.0; and there could be effects on Bitvise SSH
| through 9.31.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-48795
https://www.cve.org/CVERecord?id=CVE-2023-48795
[1] https://github.com/ronf/asyncssh/security/advisories/GHSA-hfmc-7525-mj55
[2]
https://github.com/ronf/asyncssh/commit/0bc73254f41acb140187e0c89606311f88de5b7b
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: python-asyncssh
Source-Version: 2.15.0-1
Done: Colin Watson <[email protected]>
We believe that the bug you reported is fixed in the latest version of
python-asyncssh, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Colin Watson <[email protected]> (supplier of updated python-asyncssh package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 18 Aug 2024 12:25:04 +0100
Source: python-asyncssh
Architecture: source
Version: 2.15.0-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Team <[email protected]>
Changed-By: Colin Watson <[email protected]>
Closes: 1052788 1055999 1056000 1059007 1069811 1076423
Changes:
python-asyncssh (2.15.0-1) unstable; urgency=medium
.
* Team upload.
* New upstream release (closes: #1076423):
- Hide cryptography 37.0.0 deprecation warnings (closes: #1069811).
- CVE-2023-48795: Implemented "strict kex" support and other
countermeasures to protect against the Terrapin Attack (closes:
#1059007).
- CVE-2023-46445, CVE-2023-46446: Hardened AsyncSSH state machine
against potential message injection attacks (closes: #1055999,
#1056000).
* Build-depend on openssl-provider-legacy where available; some tests need
it.
* Drop "Make Sphinx use default theme" and "Revert fido 0.9.2 support"
patches, as the relevant dependencies have since been upgraded.
* Deduplicate results from getaddrinfo (closes: #1052788).
* Enable PKCS#11 tests at build time, since python3-pkcs11 is now
packaged.
* Use pybuild-plugin-pyproject.
* Run tests using pytest.
Checksums-Sha1:
61971009ff23a698989b6f6aef750e8d3358209c 2687 python-asyncssh_2.15.0-1.dsc
8f3796c0e1e14ac92afca434e20d0f6bddae80a3 510350
python-asyncssh_2.15.0.orig.tar.gz
b32f858258aac0ee31d624f6f606b3401a46df11 9336
python-asyncssh_2.15.0-1.debian.tar.xz
Checksums-Sha256:
c0feaf480f8bb0bc97f7a361c451c3481abffe3fac6308988479a88d0c32f0df 2687
python-asyncssh_2.15.0-1.dsc
42a4b1f547d042f2c7541333afa7410f1ff3ec24d2a303b5d466ed251f343a52 510350
python-asyncssh_2.15.0.orig.tar.gz
815c96a94dc545eb39b184ade1ca0b9c8a6277dcdcf37626d183dd9e722bf8e8 9336
python-asyncssh_2.15.0-1.debian.tar.xz
Files:
1d3f7f397e1c68cc967f9ed80d91081d 2687 python optional
python-asyncssh_2.15.0-1.dsc
61d30c52b9620a7ac3e3121ffe573614 510350 python optional
python-asyncssh_2.15.0.orig.tar.gz
cf1915812c0dc7e50f219a072ab0f3a8 9336 python optional
python-asyncssh_2.15.0-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEErApP8SYRtvzPAcEROTWH2X2GUAsFAmbB2n8ACgkQOTWH2X2G
UAsInxAAmwqzfgJ2KwlAzDRQ543zyj4JyW5xGdkRD/gaJNDwxB/5YRSgbLgQjsHY
REHjKfrMLpilyDrHuQdsNAPD/ePcsUPcwsGtxKvCiqLMrehgGeVGbn8mgHgOUnWQ
bOi076tKas+3av2Jg1gIXmkK8+ZvIdZdMVB+VuCpSnpwEA7/+uHnPSTn6AWBA8qi
mJa75Nhl/DY+kuhPXC73yRIpn1IQbwJgKvY2bhTq4wCFwdACEC5UgU6fFfkYu7ko
psOsfDuJAfbZTJ/tiyuNI91KjuKwfe+1VnYm9VMF0qW6QwWHsMxSroHAlHQhNoVe
rv2C268YOmRiUz33lq9XvTlA5sHKZ2yVg0AN0D1QN1jQcEA2zfvDVBVb1qQDsMyx
xew74Fv/ukvesRumXU6bGdbpyZBL23499HbNF1eVDaSm9qsCVbJU1HaSxv51QZjn
I0rcw/dNVQljMN4AOrXGTH6ACSO7wAFxfjQWw1xGpGkVMmtG44N8WTTW5un2rFr5
Q+pdKz1JGF+yWF8m3yg+v6EMf8gmJIA1H858RGQF/7ijaYwrbG1uxTnPWuxrRnAJ
1y8AHE6orbC2k90ggusbctIjKAooe1oD9Ven+oGfRffuhKREYuXI6xaa/CfH56i4
g/BTBfO5IkzB3S6aokWvUNVdbVsZefqERS4OZZ9nJFoECNP1Clw=
=653h
-----END PGP SIGNATURE-----
pgpqm4EzIVvoA.pgp
Description: PGP signature
--- End Message ---
