Your message dated Fri, 03 Jan 2025 18:32:10 +0000
with message-id <[email protected]>
and subject line Bug#1055999: fixed in python-asyncssh 2.10.1-2+deb12u2
has caused the Debian Bug report #1055999,
regarding python-asyncssh: CVE-2023-46446
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1055999: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1055999
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: python-asyncssh
Version: 2.10.1-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for python-asyncssh.
CVE-2023-46446[0]:
| An issue in AsyncSSH v2.14.0 and earlier allows attackers to control
| the remote end of an SSH client session via packet injection/removal
| and shell emulation.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-46446
https://www.cve.org/CVERecord?id=CVE-2023-46446
[1] https://github.com/ronf/asyncssh/security/advisories/GHSA-c35q-ffpf-5qpm
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: python-asyncssh
Source-Version: 2.10.1-2+deb12u2
Done: Daniel Leidert <[email protected]>
We believe that the bug you reported is fixed in the latest version of
python-asyncssh, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Daniel Leidert <[email protected]> (supplier of updated python-asyncssh
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 03 Jan 2025 01:35:52 +0100
Source: python-asyncssh
Architecture: source
Version: 2.10.1-2+deb12u2
Distribution: bookworm
Urgency: medium
Maintainer: Debian Python Team <[email protected]>
Changed-By: Daniel Leidert <[email protected]>
Closes: 1055999 1056000
Changes:
python-asyncssh (2.10.1-2+deb12u2) bookworm; urgency=medium
.
* Non-maintainer upload by the Debian LTS team.
* debian/patches/CVE-2023-46445-and-CVE-2023-46446.patch: Add patch to fix
CVE-2023-46445 and CVE-2023-46446 (Rogue Session Attack, Rogue Extension
Negotiation):
- Put additional restrictions on when messages are accepted during the
SSH handshake to avoid message injection attacks from a rogue client
or server (closes: #1055999, #1056000).
Checksums-Sha1:
9c1e8902919683431fdce69fe108d666a896f42d 2461
python-asyncssh_2.10.1-2+deb12u2.dsc
29c59b8b0e95d37b4de8ab683ffd21b9056ea0f7 479790
python-asyncssh_2.10.1.orig.tar.gz
a37f24d31649893ddf6cac38772c23f3db63c052 16108
python-asyncssh_2.10.1-2+deb12u2.debian.tar.xz
c1ea4bb1324d604a45a68a526ca46684c8666b6c 8883
python-asyncssh_2.10.1-2+deb12u2_amd64.buildinfo
Checksums-Sha256:
47a5a1cf4f93aa82174b332abbed39bc320e3905e91a3231c29621e081d25895 2461
python-asyncssh_2.10.1-2+deb12u2.dsc
6c58c999806b17d7cf654d995cebb7f2b918d17335ebc11226f5a0c1ea29d12f 479790
python-asyncssh_2.10.1.orig.tar.gz
37b4a8e20606b53b60c13b5ae5c1adcf5bc9b59aadcfc3d2f2377aee9e51239f 16108
python-asyncssh_2.10.1-2+deb12u2.debian.tar.xz
ef5d5dc8fa70ac19e03f066119969b8f2ccd1dec4263f30250405d427021eaea 8883
python-asyncssh_2.10.1-2+deb12u2_amd64.buildinfo
Files:
e543f7244c26add3ca157e2df66c6ee2 2461 python optional
python-asyncssh_2.10.1-2+deb12u2.dsc
1fc8fb88dd5fbfff4ea7710c7caa88e7 479790 python optional
python-asyncssh_2.10.1.orig.tar.gz
12b24959f06e1593f476b9981f18cad8 16108 python optional
python-asyncssh_2.10.1-2+deb12u2.debian.tar.xz
7c92eb2fb91d5bdab77a53cdbddce8bb 8883 python optional
python-asyncssh_2.10.1-2+deb12u2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEvu1N7VVEpMA+KD3HS80FZ8KW0F0FAmd3NgYACgkQS80FZ8KW
0F3H1A/+J9BOkW+LEBzkBYH2/prTWKgBEeMgUZc8/pd68t8NupwxoiGhpqdkr3bl
vd8OYt416BZz6giFDd3ZGSVLCLM80Jc3j7Pi7y7ND8MM9oxzifbPqij2NWU+yWAn
wjCtu6b8d1zGFjwCWm8l+v3DmYobjFXGSz71aTUTZmwHAshCRguwTJKeVKsqIqwY
k1pcYRLyJHIJjNn6em0KCYfFY8JQ5jmmZpWBF3J7EXuhJ4QotThCDT8Ut6cdrGNx
CYIsLJU0PW0LXMAvc2gfUgTLhv80JQL1zv//+NI2WkxCTnZoVu5/Q/6rua4vWf2g
PynFhWn04CGfTVmkb+ENp+t5QyBvH5p8wo7QgEYFFmho6AhTt2IkviXZmC+Ya3L0
oOFTO+W4EZpzQIsoYnN+XZoXBOswdhBMDyytyFTLydXKXjqr3tQVECiTc/DIBo3A
MEyJ/ps/gQv3ZrQIiNgML4mUAFBeOmNUdm+60jYNoV28/QeclmeNhIFBc3LaLq4m
141y3vPYRoLRkwDAQQSyaovAuao89fsYHFay1lGeMjoyTm5q2G57YF11wEAlSslc
BiNwJ/gqSDVCmAQEHoMlw4pnvBBmP4QMOPIH+Uiu7fZwONZOLemFUDH0Aw+M0Svn
jnZQDyoRJv2E3GOiK3lkRP54KfNR84do2vzlK1kMvS8j9gv2I00=
=Ggsa
-----END PGP SIGNATURE-----
pgpQ70HbQ2idM.pgp
Description: PGP signature
--- End Message ---
