Alerts This Week
Warning Icon 1 758
Alerts This Week
Warning Icon 1 758

Debian 11: DLA-3899-1 critical: AsyncSSH attacks mitigated

debian lts
Calendar Grey September 27, 2024
Dist Debian Esm H88
Ubuntu Security Notice USN-4520-1 addresses vulnerabilities in OpenSSH, improving the overall safety of SSH services.
AsyncSSH is a Python package which provides an asynchronous client and server implementation of the SSHv2 protocol on top of the Python 3.4+ asyncio framework

Summary

CVE-2023-46445

A vulnerability has been discovered that allows attackers to control
the extension info message (RFC 8308) via a man-in-the-middle attack
(aka Rogue Extension Negotiation).

CVE-2023-46446

A vulnerability has been discovered that allows attackers to control
the remote end of an SSH client session via packet injection/removal
and shell emulation (aka Rogue Session attack).

CVE-2023-48795

A vulnerability has been discovered allows remote attackers to bypass
integrity checks, and a client and server may consequently end up with
a connection for which some security features have been downgraded or
disabled (aka Terrapin attack).

For Debian 11 bullseye, these problems have been fixed in version
2.5.0-0.1+deb11u1.

We recommend that you upgrade your python-asyncssh packages.

For the detailed security status of python-asyncssh please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/source-package/python-asyncssh

Read the Full Advisory


Severity
critical
Lowest
Low
Medium
High
Critical

Package: python-asyncssh
Version: 2.5.0-0.1+deb11u1
CVE ID: CVE-2023-46445 CVE-2023-46446 CVE-2023-48795
Debian Bug: 1055999 1056000 1059007

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here