Bug#1059144: proftpd-dfsg: CVE-2023-48795

Salvatore Bonaccorso carnil at debian.org
Wed Dec 20 12:47:07 GMT 2023 

Source: proftpd-dfsg
Version: 1.3.8.a+dfsg-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/proftpd/proftpd/issues/1760
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>

Hi,

The following vulnerability was published for proftpd-dfsg.

CVE-2023-48795[0]:
| The SSH transport protocol with certain OpenSSH extensions, found in
| OpenSSH before 9.6 and other products, allows remote attackers to
| bypass integrity checks such that some packets are omitted (from the
| extension negotiation message), and a client and server may
| consequently end up with a connection for which some security
| features have been downgraded or disabled, aka a Terrapin attack.
| This occurs because the SSH Binary Packet Protocol (BPP),
| implemented by these extensions, mishandles the handshake phase and
| mishandles use of sequence numbers. For example, there is an
| effective attack against SSH's use of ChaCha20-Poly1305 (and CBC
| with Encrypt-then-MAC). The bypass occurs in
| chacha20-poly1305 at openssh.com and (if CBC is used) the
| -etm at openssh.com MAC algorithms. This also affects Maverick Synergy
| Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh
| before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before
| 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6,
| libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera
| Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo
| before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense
| CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD 1.3.9rc1, ORYX
| CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144,
| CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, the
| mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library
| before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust;
| and there could be effects on Bitvise SSH through 9.31.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-48795
    https://www.cve.org/CVERecord?id=CVE-2023-48795
[1] https://github.com/proftpd/proftpd/issues/1760
[2] https://github.com/proftpd/proftpd/commit/bcec15efe6c53dac40420731013f1cd2fd54123b

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

More information about the Pkg-proftpd-maintainers mailing list