Bug 1218144

Summary: VUL-0: CVE-2023-48795: proftpd: prefix truncation breaking ssh channel integrity
Product: [Novell Products] SUSE Security Incidents Reporter: Marcus Meissner <meissner>
Component: IncidentsAssignee: Christian Wittmer <chris>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Critical    
Priority: P3 - Medium CC: gus.kenion, hpj, meissner, ncutler, rfrohl, security-team, smash_bz, sreeves, stoyan.manolov
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/387549/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on:    
Bug Blocks: 1217950    

Comment 1 Marcus Meissner 2023-12-18 15:37:06 UTC 
https://terrapin-attack.com/ is now public.

it affects mod_sftp of proftpd.
Comment 2 Christian Wittmer 2024-01-03 14:57:13 UTC 
fixed with Update to 1.3.8a
Comment 3 Christian Wittmer 2024-01-03 15:00:43 UTC 
sorry .. fixed with 1.3.8b
Comment 4 OBSbugzilla Bot 2024-01-03 15:35:01 UTC 
This is an autogenerated message for OBS integration:
This bug (1218144) was mentioned in
https://build.opensuse.org/request/show/1136558 Backports:SLE-15-SP5 / proftpd
Comment 5 Christian Wittmer 2024-01-03 22:34:50 UTC 
I guess this can be closed
Comment 6 Marcus Meissner 2024-01-04 02:05:12 UTC 
openSUSE-SU-2024:0008-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1218144,1218344
CVE References: CVE-2023-48795,CVE-2023-51713
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP5 (src):    proftpd-1.3.8b-bp155.2.6.1
Comment 7 Marcus Meissner 2024-01-08 11:48:08 UTC 
done