Bug 1218150

Summary: VUL-0: CVE-2023-48795: golang.org/x/crypto/ssh: prefix truncation breaking ssh channel integrity
Product: [Novell Products] SUSE Security Incidents Reporter: Marcus Meissner <meissner>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: NEW --- QA Contact: Security Team bot <security-team>
Severity: Critical    
Priority: P3 - Medium CC: gus.kenion, hpj, jkowalczyk, meissner, ncutler, rfrohl, security-team, smash_bz, sreeves, stoyan.manolov, thomas.leroy
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/387549/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on: 1218208, 1218206, 1218207    
Bug Blocks: 1217950    

Comment 1 Marcus Meissner 2023-12-18 15:45:25 UTC 
now public.

https://terrapin-attack.com/
Comment 2 Thomas Leroy 2023-12-19 09:46:30 UTC 
Go vuln entry is public:
https://pkg.go.dev/vuln/GO-2023-2402

This module is _at least_ used to build go1.2* packages, so I expect a new Go release fixing this issue.

Both ssh client and server look affected.
Comment 3 Thomas Leroy 2023-12-19 10:03:34 UTC 
The following packages use (thus vendor) the golang.org/x/crypto/ssh package:

SUSE:ALP:Source:Standard:1.0/buildkit
SUSE:ALP:Source:Standard:1.0/velociraptor
SUSE:SLE-15-SP2:Update/terraform-provider-aws
SUSE:SLE-15-SP3:Update:Products:SES7:Update/rook
SUSE:SLE-15-SP4:Update/cosign
SUSE:SLE-15-SP4:Update/rekor
SUSE:SLE-15-SP5:Update/warewulf4
Comment 4 Thomas Leroy 2023-12-19 13:12:18 UTC 
The following packages are reported as affected by govulncheck (meaning that the callgraph contains at least one of the vulnerable symbols):

SUSE:ALP:Source:Standard:1.0/velociraptor
SUSE:ALP:Source:Standard:1.0/buildkit
SUSE:SLE-15-SP2:Update/terraform-provider-aws
SUSE:SLE-15-SP4:Update/cosign
SUSE:SLE-15-SP4:Update/rekor