Your message dated Fri, 03 May 2024 17:21:04 +0000
with message-id <e1s2wam-007rmz...@fasolo.debian.org>
and subject line Bug#1059006: fixed in paramiko 3.4.0-1
has caused the Debian Bug report #1059006,
regarding paramiko: CVE-2023-48795
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1059006: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1059006
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: paramiko
Version: 2.12.0-2
Severity: important
Tags: security upstream
Forwarded: https://github.com/paramiko/paramiko/issues/2337
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerability was published for paramiko.
CVE-2023-48795[0]:
| The SSH transport protocol with certain OpenSSH extensions, found in
| OpenSSH before 9.6 and other products, allows remote attackers to
| bypass integrity checks such that some packets are omitted (from the
| extension negotiation message), and a client and server may
| consequently end up with a connection for which some security
| features have been downgraded or disabled, aka a Terrapin attack.
| This occurs because the SSH Binary Packet Protocol (BPP),
| implemented by these extensions, mishandles the handshake phase and
| mishandles use of sequence numbers. For example, there is an
| effective attack against SSH's use of ChaCha20-Poly1305 (and CBC
| with Encrypt-then-MAC). The bypass occurs in
| chacha20-poly1...@openssh.com and (if CBC is used) the
| -e...@openssh.com MAC algorithms. This also affects Maverick Synergy
| Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh
| before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before
| 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, and
| libssh2 through 1.11.0; and there could be effects on Bitvise SSH
| through 9.31.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-48795
https://www.cve.org/CVERecord?id=CVE-2023-48795
[1] https://github.com/paramiko/paramiko/issues/2337
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: paramiko
Source-Version: 3.4.0-1
Done: Santiago Ruano Rincón <santiag...@riseup.net>
We believe that the bug you reported is fixed in the latest version of
paramiko, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1059...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Santiago Ruano Rincón <santiag...@riseup.net> (supplier of updated paramiko
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 03 May 2024 07:10:06 -0300
Source: paramiko
Architecture: source
Version: 3.4.0-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Team <team+pyt...@tracker.debian.org>
Changed-By: Santiago Ruano Rincón <santiag...@riseup.net>
Closes: 1059006
Changes:
paramiko (3.4.0-1) unstable; urgency=medium
.
* Team upload
* New upstream version 3.4.0
- Fix Terrapin MitM attack (CVE-2023-48795) (Closes: #1059006)
* Add debian/salsa-ci.yml
* Update debian/patches/remove_pytest_relaxed.patch
* Add python3-icecream to build-dependencies
* Fix nose deprecation errors produced by pytest. Patch:
0001-Use-pytest-s-setup_method-in-pytest-8-the-nose-metho.patch
* Fix 32-bit-ism in protocol seqno rollover test from Terrapin fix. Patch
from upstream
* Add myself to Uploaders
Checksums-Sha1:
f91bd03f9fdb26e461d9b25076639352752b9a52 1822 paramiko_3.4.0-1.dsc
ef5132a21365332c7f2e3acaf1fb14d5807e0fd9 285456 paramiko_3.4.0.orig.tar.xz
fae51b68c79712e6fd22749ab9313ea9256f0382 9088 paramiko_3.4.0-1.debian.tar.xz
c3e1dda6332dbbfe5e7889bb05197b2524d01b35 7035 paramiko_3.4.0-1_amd64.buildinfo
Checksums-Sha256:
70ddb9f57797f6255011c03c39eff3faf5de4bb91301138604cac660279137c3 1822
paramiko_3.4.0-1.dsc
92b2064fc3673fa843ed758e7b07c027eb412d0061f45a96724d16435d88a9cc 285456
paramiko_3.4.0.orig.tar.xz
36a3d144a87414db68a54e2d07c5f1d9a8c4fcf1f3ac54dd29470e1a270e317b 9088
paramiko_3.4.0-1.debian.tar.xz
216d889c1aba26f31d6ce5f797cce9b0c3afc8545ec3af6a6b28782aad42f881 7035
paramiko_3.4.0-1_amd64.buildinfo
Files:
fd8f604e4cba0e08d3be9ccc9969dfc6 1822 python optional paramiko_3.4.0-1.dsc
e641bcd6294c1fde9411388f2695ae74 285456 python optional
paramiko_3.4.0.orig.tar.xz
4915535f5222b18feec5c0dc433de352 9088 python optional
paramiko_3.4.0-1.debian.tar.xz
ea43065773acce037b2249f6d4fec8fa 7035 python optional
paramiko_3.4.0-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iIwEARYIADQWIQR+lHTq7mkJOyB6t2Un3j1FEEiG7wUCZjUZtBYcc2FudGlhZ29y
ckByaXNldXAubmV0AAoJECfePUUQSIbv6c0BAKDrhICsr+YfdYElt0NaLEqWvW02
BWCr0EqXuDzMAa1ZAQD6pNZJHKlpQsOiUG0MLqsY4Bav/z+quYmi665M1PazBg==
=G8u5
-----END PGP SIGNATURE-----
pgpCl8gS5sEzR.pgp
Description: PGP signature
--- End Message ---
