Bug 1218206

Summary: VUL-0: CVE-2023-48795: rekor: golang.org/x/crypto/ssh: prefix truncation breaking ssh channel integrity
Product: [Novell Products] SUSE Security Incidents Reporter: Thomas Leroy <thomas.leroy>
Component: IncidentsAssignee: Marcus Meissner <meissner>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Critical    
Priority: P3 - Medium    
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/387549/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on:    
Bug Blocks: 1218150    

Comment 1 Thomas Leroy 2023-12-19 13:19:01 UTC 
SUSE:SLE-15-SP4:Update/rekor uses a a vulnerable version of crypto/ssh package
Comment 2 Marcus Meissner 2023-12-19 15:29:23 UTC 
go ssh dep was already bumpoed in rekor git. let see if they cut a release the next days.
Comment 3 Marcus Meissner 2024-02-14 15:11:28 UTC 
was released