[Git][security-tracker-team/security-tracker][master] Mark CVE-2023-48795/tinyssh as unimportant and add explaining NOTE

Salvatore Bonaccorso (@carnil) carnil at debian.org
Thu Dec 21 16:02:38 GMT 2023 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
2f9b1d76 by Salvatore Bonaccorso at 2023-12-21T17:01:57+01:00
Mark CVE-2023-48795/tinyssh as unimportant and add explaining NOTE

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -712,7 +712,7 @@ CVE-2023-48795 (The SSH transport protocol with certain OpenSSH extensions, foun
 	- proftpd-mod-proxy <unfixed>
 	- putty 0.80-1
 	- python-asyncssh <unfixed> (bug #1059007)
-	- tinyssh 20230101-4 (bug #1059058)
+	- tinyssh 20230101-4 (bug #1059058; unimportant)
 	- trilead-ssh2 <unfixed>
 	NOTE: https://terrapin-attack.com/
 	NOTE: https://www.openwall.com/lists/oss-security/2023/12/18/3
@@ -749,6 +749,10 @@ CVE-2023-48795 (The SSH transport protocol with certain OpenSSH extensions, foun
 	NOTE: asyncssh: https://github.com/ronf/asyncssh/commit/0bc73254f41acb140187e0c89606311f88de5b7b (v2.14.2)
 	NOTE: tinyssh: https://github.com/janmojzis/tinyssh/issues/81
 	NOTE: tinyssh: https://github.com/janmojzis/tinyssh/commit/ebaa1bd23c2c548af70cc8151e85c74f4c8594bb
+	NOTE: tinyssh: 20230101-4 implements kex-strict-s-v00 at openssh.com for the strict kex support. But
+	NOTE: since there is no support for EXT_INFO in tinyssh, even with the present chacha20-poly1305 at openssh.com
+	NOTE: encryption algorith, there is no downgrade of the connection security. An attack might result in
+	NOTE: hanging or breaking connction.
 CVE-2023-41314 (The api /api/snapshot and /api/get_log_file would allow unauthenticate ...)
 	NOT-FOR-US: Apache Doris
 CVE-2023-6909 (Path Traversal: '\..\filename' in GitHub repository mlflow/mlflow prio ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2f9b1d76b49ce0061f6cf9c567a0757192565fdf

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2f9b1d76b49ce0061f6cf9c567a0757192565fdf
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20231221/d18476cc/attachment.htm>

More information about the debian-security-tracker-commits mailing list