Debian alert DLA-3899-1 (python-asyncssh)
| From: | Daniel Leidert <dleidert@debian.org> | |
| To: | debian-lts-announce@lists.debian.org | |
| Subject: | [SECURITY] [DLA 3899-1] python-asyncssh security update | |
| Date: | Fri, 27 Sep 2024 22:44:47 +0200 | |
| Message-ID: | <2333b53ec213d23ad9a73992d74a7cc4a5d9e8ff.camel@debian.org> |
------------------------------------------------------------------------- Debian LTS Advisory DLA-3899-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Daniel Leidert September 27, 2024 https://wiki.debian.org/LTS ------------------------------------------------------------------------- Package : python-asyncssh Version : 2.5.0-0.1+deb11u1 CVE ID : CVE-2023-46445 CVE-2023-46446 CVE-2023-48795 Debian Bug : 1055999 1056000 1059007 AsyncSSH is a Python package which provides an asynchronous client and server implementation of the SSHv2 protocol on top of the Python 3.4+ asyncio framework. It has been discovered that it is vulnerable to CVE-2023-46445 A vulnerability has been discovered that allows attackers to control the extension info message (RFC 8308) via a man-in-the-middle attack (aka Rogue Extension Negotiation). CVE-2023-46446 A vulnerability has been discovered that allows attackers to control the remote end of an SSH client session via packet injection/removal and shell emulation (aka Rogue Session attack). CVE-2023-48795 A vulnerability has been discovered allows remote attackers to bypass integrity checks, and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled (aka Terrapin attack). For Debian 11 bullseye, these problems have been fixed in version 2.5.0-0.1+deb11u1. We recommend that you upgrade your python-asyncssh packages. For the detailed security status of python-asyncssh please refer to its security tracker page at: https://security-tracker.debian.org/tracker/python-asyncssh Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS
Attachment: signature.asc (type=application/pgp-signature)
-----BEGIN PGP SIGNATURE----- iQJIBAABCgAyFiEEvu1N7VVEpMA+KD3HS80FZ8KW0F0FAmb3GT8UHGRsZWlkZXJ0 QGRlYmlhbi5vcmcACgkQS80FZ8KW0F2/2g/+Kx3VWrLiGfa7MkWwmJQ6Ye36lhDb 0AyzF5EI3qB6nwCe0+LEQSDcHzQ/ZZbTRwfzP5w7jhq/cExE3DtAt4uT6/Yk2sC+ wkjDsfg41BDSERAI2fNPIBK4lU9E6vcHivdZMyy+AnkxtHDvOnrKtXlDn5wWC3m4 HCMvaH7tfA98W844G2CNqFkHnFtCTRtR6BURwHZ599J4EbHv8Kc7QKGsaJYLTn5e hJxW9DK390nO6ZP78BDiMFisiQC3tHQ/Z2xtugozcSY+q4iF9nc+VmyfmyF3ATu8 mGkTnunhAF32BWZ7CWLlL4K0PQDjZoUwCz6TmScHjltCEy2UZB9FY1vac/v6e47a /4WN9G8/EjvOTilU8GBEOMEcfH2DX8r5z5O1oke7+CGE+MhgFliy/H5mbrLlNCHg ay7nfvDGjuyCX+VrH0iMtU/aJ03zU1Bj9ZXzyHevVAulIIeJvv7tLlJZkKWA8NUr QYn1+3PMd8CbN2IaSnMJQBG2SJ6mrgLHYAni8ZkDNc26u8PuMp9eFdvVlKdgcClH NQ+sBl+HkeJ41MyUpcRxUWy4gzK6yBVhSbSggjJDUgmfzl6o857RRRIC64lLU27N rJiGlWbwCuQuJHC0mYFXNFREo79gRVZJNkKuR4aGNPchoHxBVC8BU7HUe7WrlTof eYUXf42ptYDREws= =xKuE -----END PGP SIGNATURE-----