MGASA-2024-0004

See a problem?
Please try reporting it to the source first.

Source

https://advisories.mageia.org/MGASA-2024-0004.html

Import Source

https://advisories.mageia.org/MGASA-2024-0004.json

JSON Data

https://api.test.osv.dev/v1/vulns/MGASA-2024-0004

Related

CVE-2023-48795

Published

2024-01-08T19:01:05Z

Modified

2024-01-08T18:48:49Z

Summary

Updated dropbear package fixes a security vulnerability

Details

Parts of the SSH specification are vulnerable to a novel prefix truncation attack (a.k.a. Terrapin attack), which allows a man-in-the-middle attacker to strip an arbitrary number of messages right after the initial key exchange, breaking SSH extension negotiation (RFC8308) in the process and thus downgrading connection security.

Mitigations

To mitigate this protocol vulnerability, OpenSSH suggested a so-called "strict kex" which alters the SSH handshake to ensure a Man-in-the-Middle attacker cannot introduce unauthenticated messages as well as convey sequence number manipulation across handshakes. Support for strict key exchange has been added to a variety of SSH implementations, including OpenSSH itself, PuTTY, libssh, and more. This release includes a patch to implement Strict KEX mode.

References

Credits

- Mageia - COORDINATOR
- - https://wiki.mageia.org/en/Packages_Security_Team

Affected packages

Mageia:9 / dropbear

Package

Name: dropbear
Purl: pkg:rpm/mageia/dropbear?distro=mageia-9

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2022.83-2.1.mga9

Ecosystem specific

{
    "section": "core"
}