Your message dated Wed, 21 Aug 2024 20:32:44 +0000
with message-id <[email protected]>
and subject line Bug#1059007: fixed in python-asyncssh 2.10.1-2+deb12u1
has caused the Debian Bug report #1059007,
regarding python-asyncssh: CVE-2023-48795
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1059007: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1059007
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: python-asyncssh
Version: 2.10.1-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for python-asyncssh.
CVE-2023-48795[0]:
| The SSH transport protocol with certain OpenSSH extensions, found in
| OpenSSH before 9.6 and other products, allows remote attackers to
| bypass integrity checks such that some packets are omitted (from the
| extension negotiation message), and a client and server may
| consequently end up with a connection for which some security
| features have been downgraded or disabled, aka a Terrapin attack.
| This occurs because the SSH Binary Packet Protocol (BPP),
| implemented by these extensions, mishandles the handshake phase and
| mishandles use of sequence numbers. For example, there is an
| effective attack against SSH's use of ChaCha20-Poly1305 (and CBC
| with Encrypt-then-MAC). The bypass occurs in
| [email protected] and (if CBC is used) the
| [email protected] MAC algorithms. This also affects Maverick Synergy
| Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh
| before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before
| 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, and
| libssh2 through 1.11.0; and there could be effects on Bitvise SSH
| through 9.31.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-48795
https://www.cve.org/CVERecord?id=CVE-2023-48795
[1] https://github.com/ronf/asyncssh/security/advisories/GHSA-hfmc-7525-mj55
[2]
https://github.com/ronf/asyncssh/commit/0bc73254f41acb140187e0c89606311f88de5b7b
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: python-asyncssh
Source-Version: 2.10.1-2+deb12u1
Done: Steve McIntyre <[email protected]>
We believe that the bug you reported is fixed in the latest version of
python-asyncssh, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Steve McIntyre <[email protected]> (supplier of updated python-asyncssh
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 16 Apr 2024 16:14:32 +0200
Source: python-asyncssh
Architecture: source
Version: 2.10.1-2+deb12u1
Distribution: bookworm-security
Urgency: medium
Maintainer: Debian Python Team <[email protected]>
Changed-By: Steve McIntyre <[email protected]>
Closes: 1059007
Changes:
python-asyncssh (2.10.1-2+deb12u1) bookworm-security; urgency=medium
.
* Apply and tweak upstream security fix for CVE-2023-48795
Implement "strict kex" support to harden AsyncSSH against Terrapin
Attack. Closes: #1059007
Checksums-Sha1:
8e66c0edb5a6bca17c1cc5a0001f86389ba5b75d 2461
python-asyncssh_2.10.1-2+deb12u1.dsc
29c59b8b0e95d37b4de8ab683ffd21b9056ea0f7 479790
python-asyncssh_2.10.1.orig.tar.gz
8d2720fd2edcc387f613e52e5dc75812dfef01fc 12956
python-asyncssh_2.10.1-2+deb12u1.debian.tar.xz
cce421a8681b25eef2ad16d606c6a8a6fee47569 8198
python-asyncssh_2.10.1-2+deb12u1_source.buildinfo
Checksums-Sha256:
371b4915cbffcf1da74a5f84ed57e6b197b84994cef26520530b4f73e8e2bc41 2461
python-asyncssh_2.10.1-2+deb12u1.dsc
6c58c999806b17d7cf654d995cebb7f2b918d17335ebc11226f5a0c1ea29d12f 479790
python-asyncssh_2.10.1.orig.tar.gz
46db643314fff2aeeab3d246fa1d63d7aa13200f016fb7278e0f6662c72f6052 12956
python-asyncssh_2.10.1-2+deb12u1.debian.tar.xz
e10c3cd21a79f8c1b260c41c8a0edc0b4b6aded9035e22e4b85f867ba60b67c6 8198
python-asyncssh_2.10.1-2+deb12u1_source.buildinfo
Files:
57b44875eb2cf9a534daa78f6fc3a357 2461 python optional
python-asyncssh_2.10.1-2+deb12u1.dsc
1fc8fb88dd5fbfff4ea7710c7caa88e7 479790 python optional
python-asyncssh_2.10.1.orig.tar.gz
7cadca266c1b12784e4fb366c22daec6 12956 python optional
python-asyncssh_2.10.1-2+deb12u1.debian.tar.xz
750d5836c9861349c1f8c4f19438296e 8198 python optional
python-asyncssh_2.10.1-2+deb12u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAma/ZxwACgkQEMKTtsN8
Tja2Cw/5Ae6E0Ljp5tgQ/6etFksJv4N8z0N2qQG7bJUnScka7OlqLGht7A4xtZmK
R3d3BQfzKFQPXwief1XUWpUqYQ2mBwLqZozEWOvDbxShLmSWk9twQmVrCV9j1fm+
akBidcoFyNEhMNvNSoM4wxmOI/81ed4BdZQEV4Zr5Tge0PmriWkBicUjLw05G63v
Krmwn/1lSIWKCX2Ln4sKr3uWlDc47g/W1MF7ADcxlUzutqb/S4EdT1WHCKTXgvCg
e3tIxsJf/HwhMAbT8022XLmJT0xp211Rlci6PKx52zzusY7h12C+7XBWVhI1QLcz
uLagZlofQAv7F5E5oMD4FKG3xntszVOIYfZ2i8f0uOw3Kx//AWHIFN3mVsM+hoMa
/yt8AnK6iwICBq7FhjglffNoluB6OV7Zw8OFM3NtL6CZaGC4qczu8sydlsCR/Xi4
iW0fBTFNlIn7jot7MchBZ2W87Mz32GcBqEsSMW4i3AiQEINhVQG8lplV8crY7z0g
DKOn682EteCBBjfENhLHP/UDj2SCNSKhDUZN7bOWLxWMWeOS/fenh5AdmoYGdADD
qWmgxdfhNru/dP8zCoP/x5vyiCaXUVQzywYfd0EJ2FGXgKwlbkCuFkOpJ1sMaGZJ
GHokG8m+Oe+UOFfYGUrtkp+LnyzfgJYhL4skD2xIJAUcbl0jQKg=
=9J4t
-----END PGP SIGNATURE-----
pgplDcagwTPfB.pgp
Description: PGP signature
--- End Message ---
