Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
mageiaGentoo FoundationMGASA-2024-0002
HistoryJan 08, 2024 - 1:12 p.m.

Updated libssh2 packages fix a security vulnerability (Terrapin Attack)

2024-01-0813:12:44
Gentoo Foundation
advisories.mageia.org
51
ssh transport protocol
openssh extensions
integrity checks
remote attackers
terrapin attack
security features
connection downgraded
handshake phase
sequence numbers
libssh2 packages
update
vulnerability
unix

CVSS3

5.9

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

AI Score

6.1

Confidence

High

EPSS

0.965

Percentile

99.6%

JSON

The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. Our libssh2 packages were also affected, this update fixes the issue.

OSVersionArchitecturePackageVersionFilename
Mageia9noarchlibssh2< 1.10.0-3.1libssh2-1.10.0-3.1.mga9

Related

osv 104
openvas 26
alpinelinux 1
nessus 37
cbl_mariner 5
atlassian 1
fedora 5
ubuntu 4
mageia 2
redhat 4
oraclelinux 2
debian 1
cloudfoundry 1
ibm 4
freebsd 1
redos 1
amazon 1
osv
osv
CGA-p9pj-2c5q-53vp
2024-06-06 12:28:42
CGA-7x38-9344-h7f7
2024-06-06 12:25:04
CGA-v5gm-5r76-p5cr
2024-06-06 12:26:25
openvas
openvas
Huawei EulerOS: Security Advisory for libssh2 (EulerOS-SA-2024-1765)
2024-05-30 00:00:00
Huawei EulerOS: Security Advisory for python-paramiko (EulerOS-SA-2024-1750)
2024-05-30 00:00:00
Huawei EulerOS: Security Advisory for libssh2 (EulerOS-SA-2024-1239)
2024-03-12 00:00:00
alpinelinux
alpinelinux
CVE-2023-48795
2023-12-18 16:15:10
nessus
nessus
FreeBSD : nebula -- security fix for terrapin vulnerability (0f7598cc-9fe2-11ee-b47f-901b0e9408dc)
2023-12-21 00:00:00
Fedora 38 : proftpd (2023-b87ec6cf47)
2023-12-29 00:00:00
openSUSE 15 Security Update : proftpd (openSUSE-SU-2023:0421-1)
2023-12-30 00:00:00
cbl_mariner
cbl_mariner
CVE-2023-48795 affecting package kubevirt for versions less than null
2024-01-10 08:19:37
CVE-2023-48795 affecting package libssh for versions less than 0.10.6-1
2024-01-14 22:46:30
CVE-2023-48795 affecting package moby-cli for versions less than 20.10.27-2
2024-01-19 03:54:24
atlassian
atlassian
CVE-2023-48795 vulnerability on SSH
2024-01-04 17:19:13
fedora
fedora
[SECURITY] Fedora 39 Update: putty-0.80-1.fc39
2024-01-11 01:17:14
[SECURITY] Fedora 38 Update: putty-0.80-1.fc38
2024-01-11 02:17:03
[SECURITY] Fedora 39 Update: prometheus-podman-exporter-1.7.0-1.fc39
2024-01-29 06:26:11
ubuntu
ubuntu
libssh2 vulnerability
2024-01-15 00:00:00
FileZilla vulnerability
2024-01-18 00:00:00
LXD vulnerability
2024-04-22 00:00:00
mageia
mageia
Updated erlang packages fix a security vulnerability (Terrapin Attack)
2024-01-20 01:43:32
Updated putty package fixes a security vulnerability (Terrapin attack)
2024-01-08 13:12:44
redhat
redhat
(RHSA-2024:0499) Moderate: libssh security update
2024-01-25 15:19:29
(RHSA-2024:0625) Moderate: libssh security update
2024-01-31 08:08:23
(RHSA-2024:1196) Moderate: Red Hat JBoss Enterprise Application Platform 7.4 security update
2024-03-06 17:50:02
oraclelinux
oraclelinux
buildah security update
2024-03-07 00:00:00
openssh security update
2024-03-18 00:00:00
debian
debian
[SECURITY] [DSA 5600-1] php-phpseclib security update
2024-01-12 07:13:37
cloudfoundry
cloudfoundry
USN-6561-1: libssh vulnerability | Cloud Foundry
2024-04-04 00:00:00
ibm
ibm
Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in net-ssh-4.2.0.gem
2024-05-30 07:47:08
Security Bulletin: OpenSSH vulnerability affects IBM WebSphere Adapter for FTP shipped with IBM Business Automation Workflow - CVE-2023-48795
2024-03-22 16:29:44
Security Bulletin: IBM Tivoli Netcool Impact is vulnerable to a machine-in-the-middle attack due to Apache MINA SSHD (CVE-2023-48795)
2024-04-04 17:46:46
freebsd
freebsd
jenkins -- Terrapin SSH vulnerability in Jenkins CLI client
2024-04-17 00:00:00
redos
redos
ROS-20240408-15
2024-04-08 00:00:00
amazon
amazon
Medium: openssh
2023-12-18 09:20:00

CVSS3

5.9

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

AI Score

6.1

Confidence

High

EPSS

0.965

Percentile

99.6%

JSON
Related for MGASA-2024-0002
osv104openvas26alpinelinux1nessus37cbl_mariner5atlassian1fedora5ubuntu4mageia2redhat4oraclelinux2debian1cloudfoundry1ibm4freebsd1redos1amazon1