Alerts This Week
Warning Icon 1 485
Alerts This Week
Warning Icon 1 485

Mageia 9 MGASA-2024-0002 moderate: libssh2 integrity downgrade issue

mageia
Calendar Grey January 8, 2024
Dist Mageia Esm H88
A major update for libssh2 addresses integrity downgrade issues exposing SSH connections to potential threats.
The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packet...

Summary

The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. Our libssh2 packages were also affected, this update fixes the issue.

References

- https://bugs.mageia.org/show_bug.cgi?id=32662

- https://github.com/libssh2/libssh2/issues/1290

- https://www.cve.org/CVERecord?id=CVE-2023-48795

Resolution

SRPMS

- 9/core/libssh2-1.10.0-3.1.mga9

Publication date: 08 Jan 2024
URL: https://advisories.mageia.org/MGASA-2024-0002.html
Type: security
CVE: CVE-2023-48795

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here