Your message dated Thu, 25 Jan 2024 02:34:36 +0000
with message-id <[email protected]>
and subject line Bug#1059001: fixed in dropbear 2022.83-4
has caused the Debian Bug report #1059001,
regarding dropbear: CVE-2023-48795
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1059001: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1059001
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: dropbear
Version: 2022.83-3
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for dropbear.
CVE-2023-48795[0]:
| The SSH transport protocol with certain OpenSSH extensions, found in
| OpenSSH before 9.6 and other products, allows remote attackers to
| bypass integrity checks such that some packets are omitted (from the
| extension negotiation message), and a client and server may
| consequently end up with a connection for which some security
| features have been downgraded or disabled, aka a Terrapin attack.
| This occurs because the SSH Binary Packet Protocol (BPP),
| implemented by these extensions, mishandles the handshake phase and
| mishandles use of sequence numbers. For example, there is an
| effective attack against SSH's use of ChaCha20-Poly1305 (and CBC
| with Encrypt-then-MAC). The bypass occurs in
| [email protected] and (if CBC is used) the
| [email protected] MAC algorithms. This also affects Maverick Synergy
| Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh
| before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before
| 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, and
| libssh2 through 1.11.0; and there could be effects on Bitvise SSH
| through 9.31.
Dropbear commit [1] implements the Strict KEX mode as well. In my
understanding of [2] the issue might be less of a security concern for
Dropbear itself, not reducing the Dropbear security.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-48795
https://www.cve.org/CVERecord?id=CVE-2023-48795
[1]
https://github.com/mkj/dropbear/commit/6e43be5c7b99dbee49dc72b6f989f29fdd7e9356
[2]
https://github.com/mkj/dropbear/commit/66bc1fcdee594c6cb1139df0ef8a6c9c5fc3fde3
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: dropbear
Source-Version: 2022.83-4
Done: Guilhem Moulin <[email protected]>
We believe that the bug you reported is fixed in the latest version of
dropbear, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Guilhem Moulin <[email protected]> (supplier of updated dropbear package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 25 Jan 2024 02:08:38 +0100
Source: dropbear
Architecture: source
Version: 2022.83-4
Distribution: unstable
Urgency: medium
Maintainer: Guilhem Moulin <[email protected]>
Changed-By: Guilhem Moulin <[email protected]>
Closes: 1059001
Changes:
dropbear (2022.83-4) unstable; urgency=medium
.
* Fix CVE-2023-48795: (terrapin attack): The SSH transport protocol with
certain OpenSSH extensions allows remote attackers to bypass integrity
checks such that some packets are omitted (from the extension negotiation
message), and a client and server may consequently end up with a
connection for which some security features have been downgraded or
disabled, aka a Terrapin attack. (Closes: #1059001)
Checksums-Sha1:
529cce1939c25d2a9f1886344f6b21444e0a6144 2524 dropbear_2022.83-4.dsc
ed7b1af3304dcb9f607ddb73db0d4a240dc6e4c4 37300 dropbear_2022.83-4.debian.tar.xz
a98b7789151840b0a10ac5ade72a8732d20444d6 7072
dropbear_2022.83-4_amd64.buildinfo
Checksums-Sha256:
74c39231d745bafd5c14e6978f016292bec418f9f70374fb360a0e732e1e17ae 2524
dropbear_2022.83-4.dsc
c18217754f260fa29240b0516b1ce69cfaf8c600ec7dbf81eb427c40740718dc 37300
dropbear_2022.83-4.debian.tar.xz
54e0fbc46f7455d8ca55fe9beee3fdda74aad7293f0f3cbc46b664415363e03e 7072
dropbear_2022.83-4_amd64.buildinfo
Files:
4f765e656c0b5da906d611892bf1bbf4 2524 net optional dropbear_2022.83-4.dsc
5ad523ca46a1f5379bf8b72aa968973e 37300 net optional
dropbear_2022.83-4.debian.tar.xz
5a465386243990cfaa85916038349412 7072 net optional
dropbear_2022.83-4_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAmWxtVkACgkQ05pJnDwh
pVIZ5RAAn7ha9Miw16QWcXAYTUkH/MFjeK9oy4aXZLqKs6YaPtfujwK/9XYnRftZ
Mk/RA5927XI9RzIXJW+UnP4qb9V4gP1a979O2xO44+B2am+o469pCa5po+Yucpqs
yloNPK+jP/EsaeAAGXEnLZjC8H4ue2LTo0C+Wa7zCS5dYElOvVUR3FQnyU+W6YtR
nxxw/7y0p/WLzKpihSYxfqcxSYqRO1gPkPOonz94MYetHeImYSgkTCsW4Mg1j1Xi
SgHO5VuxiwXNC4VnDmawAFf2KaievK0aZRDHg3xbJO7G6FA7itCJ8bCbnWK6EodO
Iv/AOslOFKJ2K2ARI6o0dRqtTKc8Xg973lXT+V+Y10XExWX8iz7qam5wVi13seZr
igZMpgmhsGSGjuKurWH7XRUdLyWWQ4CBmphEqsrL3C9Lr75sNbWJL8lcY+KaETzb
zwbvnBDGxZw1XhPFOmWcHkkz0IGpfLcEn21nlMXfR3P5Y6ZKm97NLDK9YfQyPwHq
wJfQi2uHozI5QakbzFSaFwTgOyW8vZN4JXynULYEa7Jd7aYp8stFZNPyPIltQTAx
UUKALRG0BN7Ztv73QmbWMkHHyrEXPYXLCRnl/8elY6giANTeJ2EGPlU4xFuhcEb9
tHnu21RJFsjp9H/gLRnr6yKW6KLddUQKljWu46zeaqUP8rhGYng=
=w8e8
-----END PGP SIGNATURE-----
--- End Message ---
