-------------------------------------------------------------------------
Debian LTS Advisory DLA-3899-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Daniel Leidert
September 27, 2024 https://wiki.debian.org/LTS
-------------------------------------------------------------------------
Package : python-asyncssh
Version : 2.5.0-0.1+deb11u1
CVE ID : CVE-2023-46445 CVE-2023-46446 CVE-2023-48795
Debian Bug : 1055999 1056000 1059007
AsyncSSH is a Python package which provides an asynchronous client
and server implementation of the SSHv2 protocol on top of the Python
3.4+ asyncio framework. It has been discovered that it is vulnerable to
CVE-2023-46445
A vulnerability has been discovered that allows attackers to control
the extension info message (RFC 8308) via a man-in-the-middle attack
(aka Rogue Extension Negotiation).
CVE-2023-46446
A vulnerability has been discovered that allows attackers to control
the remote end of an SSH client session via packet injection/removal
and shell emulation (aka Rogue Session attack).
CVE-2023-48795
A vulnerability has been discovered allows remote attackers to bypass
integrity checks, and a client and server may consequently end up with
a connection for which some security features have been downgraded or
disabled (aka Terrapin attack).
For Debian 11 bullseye, these problems have been fixed in version
2.5.0-0.1+deb11u1.
We recommend that you upgrade your python-asyncssh packages.
For the detailed security status of python-asyncssh please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/python-asyncssh
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
Attachment:
signature.asc
Description: This is a digitally signed message part