Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

update: libssh2 (Terrapin) #1311

Closed
dongsupark opened this issue Jan 9, 2024 · 0 comments · Fixed by flatcar/scripts#1733
Closed

update: libssh2 (Terrapin) #1311

dongsupark opened this issue Jan 9, 2024 · 0 comments · Fixed by flatcar/scripts#1733
Labels
advisory security advisory cvss/MEDIUM >= 4 && < 7 assessed CVSS security security concerns

Comments

@dongsupark
Copy link
Member

Name: libssh2
CVEs: CVE-2023-48795
CVSSs: 5.9
Action Needed: TBD

Summary: The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack.

This is the same CVE as #1301, but the issue is only about libssh2.

There is still no release for the fix. The fix PR was already merged.

refmap.gentoo: TBD
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
advisory security advisory cvss/MEDIUM >= 4 && < 7 assessed CVSS security security concerns
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Drop unused net-libs/libssh2 package flatcar/scripts
1 participant
@dongsupark