(E)LTS report for January 2024

To: debian-lts@lists.debian.org
Subject: (E)LTS report for January 2024
From: Tobias Frost <tobi@debian.org>
Date: Sat, 3 Feb 2024 16:31:03 +0100
Message-id: <[🔎] Zb5cN5DqmKjU5ENF@isildor2.loewenhoehle.ip>

I've worked during January 2024 on the below listed packages, for
Freexian LTS/ELTS [1] 

Many thanks to Freexian and sponsors [2] for providing this opportunity!

LTS and ELTS - paramiko - CVE-2023-48795

Unfortunatly only _after_ backporting the patch for CVE-2023-48795
(terrapin) and fighting with the test suite with a while, I figured out
that there is a tool to check for SSH implementations [3] and that gave
me additional glues that paramiko might not be vulnerable to terrapin.

So I've then reached out to upstream [4] and got confirmation that this
is indeed true: Paramiko in buster does not implement the vulnerable
ciphers (and it also does not support EXT_INFO, which might be relvant
if someone wants to exploit terrapin -- but I'm not 100% sure about that part)

If it is true that EXT_INFO is required to exploit, this would also
mean that bookworm is not vulnerable.

[3] https://github.com/RUB-NDS/Terrapin-Scanner/releases/tag/v1.1.0
[4] https://github.com/paramiko/paramiko/issues/2337#issuecomment-1880185735

FWWIW, I've put the backport on a dedicated branch,
tobi_backport_strict_key on the LTS repo, in case this is found to be
useful in the future. (Basically this should enable strict KEX support,
but will for sure require more testing.)

LTS and ELTS - zabbix
  LTS:  DLA-3717-1 CVE-2023-32721 CVE-2023-32723 CVE-2023-32726
  ELTS: ELA-1041-1 CVE-2023-32721 CVE-2023-32726

The work on zabbix included also triaging of several CVEs that have
been marked as being vulnerable in LTS and ELTS, but some of them were
introduced only in later versions than the one in buster, stretch and
jessie. This was the case for CVE-2023-32725, CVE-2023-32727 and
CVE-2023-32728.

The code involving LDAP Manangement, which was the code around
CVE-2023-32723 has been significantly changed in buster,
therefore the patch could not be applied to the ELTS suites. The code
has been changed so much, that I could not determine if the present code
is vulnerable at all. The code base has changed to a
model-view-controller in later versions, so I did not find a way to
backport the fix, or even verify if it needs fixing at all.


--
tobi


[1]  https://www.freexian.com/lts/
[2]  https://www.freexian.com/lts/debian/#sponsors

Cheers,
-- 
tobi

Attachment: signature.asc
Description: PGP signature

Reply to:

Prev by Date: Debian LTS and ELTS -- January 2024
Next by Date: Re: man-db hardening fixes
Previous by thread: Debian LTS and ELTS -- January 2024
Next by thread: Report for my LTS work in December 2023
Index(es):
- Date
- Thread