Your message dated Wed, 31 Jan 2024 10:03:13 +0000
with message-id <[email protected]>
and subject line Bug#1059001: fixed in dropbear 2022.83-1+deb12u1
has caused the Debian Bug report #1059001,
regarding dropbear: CVE-2023-48795
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1059001: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1059001
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: dropbear
Version: 2022.83-3
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for dropbear.
CVE-2023-48795[0]:
| The SSH transport protocol with certain OpenSSH extensions, found in
| OpenSSH before 9.6 and other products, allows remote attackers to
| bypass integrity checks such that some packets are omitted (from the
| extension negotiation message), and a client and server may
| consequently end up with a connection for which some security
| features have been downgraded or disabled, aka a Terrapin attack.
| This occurs because the SSH Binary Packet Protocol (BPP),
| implemented by these extensions, mishandles the handshake phase and
| mishandles use of sequence numbers. For example, there is an
| effective attack against SSH's use of ChaCha20-Poly1305 (and CBC
| with Encrypt-then-MAC). The bypass occurs in
| [email protected] and (if CBC is used) the
| [email protected] MAC algorithms. This also affects Maverick Synergy
| Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh
| before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before
| 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, and
| libssh2 through 1.11.0; and there could be effects on Bitvise SSH
| through 9.31.
Dropbear commit [1] implements the Strict KEX mode as well. In my
understanding of [2] the issue might be less of a security concern for
Dropbear itself, not reducing the Dropbear security.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-48795
https://www.cve.org/CVERecord?id=CVE-2023-48795
[1]
https://github.com/mkj/dropbear/commit/6e43be5c7b99dbee49dc72b6f989f29fdd7e9356
[2]
https://github.com/mkj/dropbear/commit/66bc1fcdee594c6cb1139df0ef8a6c9c5fc3fde3
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: dropbear
Source-Version: 2022.83-1+deb12u1
Done: Guilhem Moulin <[email protected]>
We believe that the bug you reported is fixed in the latest version of
dropbear, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Guilhem Moulin <[email protected]> (supplier of updated dropbear package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 26 Jan 2024 10:01:00 +0100
Source: dropbear
Architecture: source
Version: 2022.83-1+deb12u1
Distribution: bookworm
Urgency: medium
Maintainer: Guilhem Moulin <[email protected]>
Changed-By: Guilhem Moulin <[email protected]>
Closes: 1059001
Changes:
dropbear (2022.83-1+deb12u1) bookworm; urgency=medium
.
* Fix CVE-2023-48795: (terrapin attack): The SSH transport protocol with
certain OpenSSH extensions allows remote attackers to bypass integrity
checks such that some packets are omitted (from the extension negotiation
message), and a client and server may consequently end up with a
connection for which some security features have been downgraded or
disabled, aka a Terrapin attack. (Closes: #1059001)
Checksums-Sha1:
692f8b276888861da31b2ebf2f54f9c7b8d2b686 2614 dropbear_2022.83-1+deb12u1.dsc
97a18621ae57e9f7aa98ff5a6c0c4e4ce0c01d36 36860
dropbear_2022.83-1+deb12u1.debian.tar.xz
ef4a025fdbdc4ba93629288250f0b520b4afe73b 7504
dropbear_2022.83-1+deb12u1_amd64.buildinfo
Checksums-Sha256:
d629523b1fb44942e9dc611bc00a6513cd0b60dda3a4cd916bae11832a74428a 2614
dropbear_2022.83-1+deb12u1.dsc
6bee1e383176908d5b6de4ccd503260404356b5cded6a78b5a7fa76e8c943e49 36860
dropbear_2022.83-1+deb12u1.debian.tar.xz
d0f7ec56c042101f632d1644249a728e7fda6e1c7af6e0e84060d8ef9d37d279 7504
dropbear_2022.83-1+deb12u1_amd64.buildinfo
Files:
06d68565eccc6fbec29c993295fcdd62 2614 net optional
dropbear_2022.83-1+deb12u1.dsc
3c1c408a74a6228f1fb29559533e8e6d 36860 net optional
dropbear_2022.83-1+deb12u1.debian.tar.xz
6ea7040c560daf5b2a7fbe151bb87247 7504 net optional
dropbear_2022.83-1+deb12u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAmWzdUMACgkQ05pJnDwh
pVL4Aw//Yb2K/pAsrcfUB7ADfNOq0XmBmioxWlq3YUWoHgVkHgJZgxPMe9AkaKE9
6zGZqq/Bxm7zmX5w9D5kZeEDYeIItKLIsNHLJxTvyZeWu0KxprZs22ZcrebomkRJ
J+RfJ7TySAAR/L/cHkM3M+8KAq7JMnhFXHQRjUrcWcXekk/wDn4gg6xVihSqa+wQ
7uaxIAG6eIPiOPPsc7TKmXlE4BhnALeLR89iSm+Iwtm0SBNJy2P+37s0aEq7vegn
5cwqsYfLuymQEiWDMtXVa079NU6aCnlNsTfUDn83LC27RsBjNZdfvW0wY1ecaOze
MTkoXaKi7AICITiMa7VR7trXHgsW1W4azg54h4+IuqmNjv74qN/jIbsINcp1WLJB
uZg+ErAk1iVqVhmQJTHplkCB41HAJ0sNrIJ9OWMZKQUlZs0uDNANV5K8wujaLmGx
ca+WNhqhb3n+903An2SpluzcyKfuFoaF5xBQO84hcY6bi+VWImBB+ou2OSXyZ2yS
2Ih7vN5mt1JwUYMZ0SWcc8QavORnaqon1U2pfFn6Hcd0uRuOpHe64NZA9M0nDFUo
j4qEyO1kCidiRLRJu5aNOber8UaTF8yYjpDx2g4WGIG1ytkoYcEXavLvDmvOmD1X
rDeiKzgzObMuo/NBKRPW7CQtFVL5ozgcrOIG+3jx9O3j3fquRTk=
=YrjU
-----END PGP SIGNATURE-----
--- End Message ---
