Source: trilead-ssh2 X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security
Hi, The following vulnerability should also affect Trilead SSH: https://terrapin-attack.com/ CVE-2023-48795[0]: | The SSH transport protocol with certain OpenSSH extensions, found in | OpenSSH before 9.6 and other products, allows remote attackers to | bypass integrity checks such that some packets are omitted (from the | extension negotiation message), and a client and server may | consequently end up with a connection for which some security | features have been downgraded or disabled, aka a Terrapin attack. | This occurs because the SSH Binary Packet Protocol (BPP), | implemented by these extensions, mishandles the handshake phase and | mishandles use of sequence numbers. For example, there is an | effective attack against SSH's use of ChaCha20-Poly1305 (and CBC | with Encrypt-then-MAC). The bypass occurs in | chacha20-poly1...@openssh.com and (if CBC is used) the | -e...@openssh.com MAC algorithms. This also affects Maverick Synergy | Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh | before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before | 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, | libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera | Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo | before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense | CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and | before1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 | before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library | before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, | TinySSH through 20230101, trilead-ssh2 6401, the net-ssh gem 7.2.0 | for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the | thrussh library before 0.35.1 for Rust, and the Russh crate before | 0.40.2 for Rust; and there could be effects on Bitvise SSH through | 9.31. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-48795 https://www.cve.org/CVERecord?id=CVE-2023-48795 Please adjust the affected versions in the BTS as needed. __ This is the maintainer address of Debian's Java team <https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use debian-j...@lists.debian.org for discussions and questions.
