#1059294 trilead-ssh2: CVE-2023-48795

Package:
src:trilead-ssh2
Source:
src:trilead-ssh2
Submitter:
Moritz Mühlenhoff
Date:
2025-02-18 16:24:01 UTC
Severity:
normal
Tags:
#1059294#5
Date:
2023-12-22 12:42:01 UTC
From:
To:
Hi,

The following vulnerability should also affect Trilead SSH:
https://terrapin-attack.com/

CVE-2023-48795[0]:
| The SSH transport protocol with certain OpenSSH extensions, found in
| OpenSSH before 9.6 and other products, allows remote attackers to
| bypass integrity checks such that some packets are omitted (from the
| extension negotiation message), and a client and server may
| consequently end up with a connection for which some security
| features have been downgraded or disabled, aka a Terrapin attack.
| This occurs because the SSH Binary Packet Protocol (BPP),
| implemented by these extensions, mishandles the handshake phase and
| mishandles use of sequence numbers. For example, there is an
| effective attack against SSH's use of ChaCha20-Poly1305 (and CBC
| with Encrypt-then-MAC). The bypass occurs in
| chacha20-poly1305@openssh.com and (if CBC is used) the
| -etm@openssh.com MAC algorithms. This also affects Maverick Synergy
| Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh
| before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before
| 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6,
| libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera
| Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo
| before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense
| CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and
| before1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7
| before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library
| before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0,
| TinySSH through 20230101, trilead-ssh2 6401, the net-ssh gem 7.2.0
| for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the
| thrussh library before 0.35.1 for Rust, and the Russh crate before
| 0.40.2 for Rust; and there could be effects on Bitvise SSH through
| 9.31.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-48795
https://www.cve.org/CVERecord?id=CVE-2023-48795

Please adjust the affected versions in the BTS as needed.
#1059294#12
Date:
2025-02-18 16:21:55 UTC
From:
To:
Hi,

since trilead-ssh2 came up as a candidate for the Bug of the Day[1].  I
realised the watch file was outdated and pointed it to Github where a
long series of newer releases was tagged.  Unfortunately the version
string is a bit unfortunate and we might need an epoch most probably.
I found some workaround without this for the moment but I'd recommend
to find a better solution.

Upstream does *not* mention CVE-2023-48795 inside the code and the Git
log. However, the log mentions CVE-2021-22569 - so its probably worth
uploading the latest version anyway and ping upstream about
CVE-2023-48795.

Unfortunately its not that simple to build the new upstream version.  As
you can see in Salsa CI[2] it seems we need two new Build-Depends.  Thus
for the moment I simply updated the metadata of the package and hope
someone else will catch up from here.

Kind regards
    Andreas.

[1] https://salsa.debian.org/tille/tiny_qa_tools/-/wikis/Tiny-QA-tasks#bug-of-the-day
[2] https://salsa.debian.org/java-team/trilead-ssh2/-/jobs/7114202#L1665