Thursday, January 25, 2024

[USN-6598-1] Paramiko vulnerability

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEUMSg3c8x5FLOsZtRZWnYVadEvpMFAmWyZgkACgkQZWnYVadE
vpMLjBAAkf59STlTqKzpwZTUMFWBxSyxBu0dsqWqqL+6nl/wqskQwckvNVc+sJcF
7LsRNR7e9HvFbbacg13XczX+DMUBZtHONCzximQeHGs+zPR80Yu9pNeg6aTCCei6
dhaFH7coXzE53tzvBsrUDZuhaWt26IeexGOKXlt/gi7rcAAJYyLX1sFXpjNQCSeS
vdHpzcjAKO8mzpIVX8UlnJPxvlxKBu/stnYeKgWJhiGHvn9ivUoJ4Y4vevriMDTB
Si2mJlCodB20+JRkQSEwz+2YRdNO6wJem0J4mXKgB7r/rSlNeo3ek6K7Ebni5rVy
xWkrzOn6qUl7zDZK2jQB4tEExgVUNagP523r47asdJTOyHLkkexJdVx7quKQKDYG
BmHdwUMZgYBamBUHAqBHtjHJVA6iWEn66cjdv/22inqcrZiVhTMyAzkYAFlX3nhI
ft/YOy0zfN/MPib75aK38SWKrj80TqCX4cgDmSv6CGXhM4Qr0dz5z/eSLL4KECaV
wd3OeDpg+7fSkiqggQ1ABMREqMHg67wNeAjs9Fs04Ttr23MFCUpkHbNW0H/ZF7iS
0gVAt9JXzQHUxz+kVh1/ov/GgaSLNBb5qZAWDaGzzUWT7js3nULokxidiszVJO2N
JyKK6/gcHV+MoafiQu3xTPVyO8r6X7+O2aDCpP1t1SbxtbgJ0qw=
=BlYY
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-6598-1
January 25, 2024

paramiko vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS

Summary:

A protocol flaw was fixed in Paramiko.

Software Description:
- paramiko: Python SSH2 library

Details:

Fabian Bäumer, Marcus Brinkmann, Jörg Schwenk discovered that the SSH
protocol was vulnerable to a prefix truncation attack. If a remote attacker
was able to intercept SSH communications, extension negotiation messages
could be truncated, possibly leading to certain algorithms and features
being downgraded. This issue is known as the Terrapin attack. This update
adds protocol extensions to mitigate this issue.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 23.10:
python3-paramiko 2.12.0-2ubuntu1.23.10.2

Ubuntu 22.04 LTS:
python3-paramiko 2.9.3-0ubuntu1.2

Ubuntu 20.04 LTS:
python3-paramiko 2.6.0-2ubuntu0.3

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-6598-1
CVE-2023-48795

Package Information:
https://launchpad.net/ubuntu/+source/paramiko/2.12.0-2ubuntu1.23.10.2
https://launchpad.net/ubuntu/+source/paramiko/2.9.3-0ubuntu1.2
https://launchpad.net/ubuntu/+source/paramiko/2.6.0-2ubuntu0.3

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)