Your message dated Tue, 02 Jan 2024 22:39:34 +0000
with message-id <[email protected]>
and subject line Bug#1059005: fixed in libssh2 1.11.0-4
has caused the Debian Bug report #1059005,
regarding libssh2: CVE-2023-48795
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1059005: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1059005
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libssh2
Version: 1.11.0-3
Severity: important
Tags: security upstream
Forwarded: https://github.com/libssh2/libssh2/issues/1290
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>

Hi,

The following vulnerability was published for libssh2.

CVE-2023-48795[0]:
| The SSH transport protocol with certain OpenSSH extensions, found in
| OpenSSH before 9.6 and other products, allows remote attackers to
| bypass integrity checks such that some packets are omitted (from the
| extension negotiation message), and a client and server may
| consequently end up with a connection for which some security
| features have been downgraded or disabled, aka a Terrapin attack.
| This occurs because the SSH Binary Packet Protocol (BPP),
| implemented by these extensions, mishandles the handshake phase and
| mishandles use of sequence numbers. For example, there is an
| effective attack against SSH's use of ChaCha20-Poly1305 (and CBC
| with Encrypt-then-MAC). The bypass occurs in
| [email protected] and (if CBC is used) the
| [email protected] MAC algorithms. This also affects Maverick Synergy
| Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh
| before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before
| 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, and
| libssh2 through 1.11.0; and there could be effects on Bitvise SSH
| through 9.31.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-48795
    https://www.cve.org/CVERecord?id=CVE-2023-48795
[1] https://github.com/libssh2/libssh2/issues/1290

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---
--- Begin Message ---
Source: libssh2
Source-Version: 1.11.0-4
Done: Nicolas Mora <[email protected]>

We believe that the bug you reported is fixed in the latest version of
libssh2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Nicolas Mora <[email protected]> (supplier of updated libssh2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 19 Dec 2023 17:33:18 -0500
Source: libssh2
Architecture: source
Version: 1.11.0-4
Distribution: unstable
Urgency: medium
Maintainer: Nicolas Mora <[email protected]>
Changed-By: Nicolas Mora <[email protected]>
Closes: 1059005
Changes:
 libssh2 (1.11.0-4) unstable; urgency=medium
 .
   * d/patch: Add patch for Terrapin attack
     Fixes CVE-2023-48795 (Closes: #1059005)
   * d/copyright: Update copyright years
Checksums-Sha1:
 4f3d712947ffbe803cafd05346a72b306956bdc3 2289 libssh2_1.11.0-4.dsc
 fbdb4751a4bc93e895e9c3426f7f80b437d250fe 1053562 libssh2_1.11.0.orig.tar.gz
 45356748f83d27fe878dd5d963d1d1dbcc3298c7 488 libssh2_1.11.0.orig.tar.gz.asc
 8023af3998ebd8b3216812940738fa122ed10215 13892 libssh2_1.11.0-4.debian.tar.xz
 6cae29c43f91c224fc7c854fc4039eca9e89e2f3 7543 libssh2_1.11.0-4_amd64.buildinfo
Checksums-Sha256:
 4e470d039d3fe584247ba6fe55d6df1f61b7d5ca1f6a20e935f3429fc2260bee 2289 
libssh2_1.11.0-4.dsc
 3736161e41e2693324deb38c26cfdc3efe6209d634ba4258db1cecff6a5ad461 1053562 
libssh2_1.11.0.orig.tar.gz
 b6a32c85a3f9b6f30f2b3595ba034b48a8508ee9c94708ef811f58fd7adfcdee 488 
libssh2_1.11.0.orig.tar.gz.asc
 490185b99efe121a516dd36867ced264babbe638568ddaf8cf6a6b5ed1afc01a 13892 
libssh2_1.11.0-4.debian.tar.xz
 80001678b7032735acca6a1e9f924e8ba59848b77a6a27f4d0e7b3c7647d1d66 7543 
libssh2_1.11.0-4_amd64.buildinfo
Files:
 ddd31b9ca3b199c0136a728851d4e1b2 2289 libs optional libssh2_1.11.0-4.dsc
 a01d543fd891ca48fe47726540d50b17 1053562 libs optional 
libssh2_1.11.0.orig.tar.gz
 afe042f2abfbc990ba9f9081af7f9887 488 libs optional 
libssh2_1.11.0.orig.tar.gz.asc
 107bc22137c5bf2a0039ec61aab71756 13892 libs optional 
libssh2_1.11.0-4.debian.tar.xz
 403a0ff5b45e03b8b9d468117f046d35 7543 libs optional 
libssh2_1.11.0-4_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEhAWwL8wo75dEyPJT/oITlEC9IrkFAmWUifUACgkQ/oITlEC9
IrkI4g/+LcVh8g9wjjTjRyP7djyVRA4mm9L/qfE/Hj7ng477plLPavkorfdnrN1f
w1RlDJY5rkMRb1+BZ0U77RdjBtKEzM/9Y3AnsjmVSO7sL7K8T3KVpegXPBmAG51n
sc0i4V8Oov+0MMPfK/YWgBaj8etFpzYgDazu8hVXmnFWK5hc0QPS8AtII0VXjeIU
Ha+j0Ij+oZ8lK+DoBj2rqT87KqZuM6V+4CVzqQ6ujIoP0eI/Jx89yqzlfo/Byqcv
336L0RBtJtaWh4WLWQhed/ntZzPC8PxvEMWiao6G2FupitNMw24x1cm70GBXFQLB
EhLcOR+v5SQrIP88uV7FIceooqPMIkUiYdl09Yp89rhrUfIGV5LvXUqk8cXdFspg
KVcLuj/yjcxOvmCt6i0O1cFenoOF37fZHFYtho7offGMMs+YKEbhLpgZCzepG4tn
5NpGMqe9fIfLGKEQGs9KfbF9GbbBvyOk3WG9l9aO/pEJyGrR3Si1AJKsbiAoc2d3
1ckOH1UA6HvtWZ+jRj3Qf9C59w0ixb1dZxF/HH7+Nkr2fothopeoB4jAt4FHuBs2
84E3h34Eqbgz2AR7FPBn/twvhQBNgrWJcQSpNacpTqfeq2vfc0eCZAIbRSq3xQGG
sfXaI3cO/dLBn9XC9SkZnubgMYcxqUFt9FZQHwUK6NVsQumyzVA=
=kL4A
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to