Bug 1218150 - VUL-0: CVE-2023-48795: golang.org/x/crypto/ssh: prefix truncation breaking ssh channel integrity
Summary: VUL-0: CVE-2023-48795: golang.org/x/crypto/ssh: prefix truncation breaking ss...
Status: NEW
Alias: None
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Critical
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/387549/
Whiteboard:
Keywords:
Depends on: 1218208 1218206 1218207
Blocks: CVE-2023-48795
  Show dependency treegraph
 
Reported: 2023-12-18 09:27 UTC by Marcus Meissner
Modified: 2023-12-19 13:23 UTC (History)
11 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Marcus Meissner 2023-12-18 15:45:25 UTC 
now public.

https://terrapin-attack.com/
Comment 2 Thomas Leroy 2023-12-19 09:46:30 UTC 
Go vuln entry is public:
https://pkg.go.dev/vuln/GO-2023-2402

This module is _at least_ used to build go1.2* packages, so I expect a new Go release fixing this issue.

Both ssh client and server look affected.
Comment 3 Thomas Leroy 2023-12-19 10:03:34 UTC 
The following packages use (thus vendor) the golang.org/x/crypto/ssh package:

SUSE:ALP:Source:Standard:1.0/buildkit
SUSE:ALP:Source:Standard:1.0/velociraptor
SUSE:SLE-15-SP2:Update/terraform-provider-aws
SUSE:SLE-15-SP3:Update:Products:SES7:Update/rook
SUSE:SLE-15-SP4:Update/cosign
SUSE:SLE-15-SP4:Update/rekor
SUSE:SLE-15-SP5:Update/warewulf4
Comment 4 Thomas Leroy 2023-12-19 13:12:18 UTC 
The following packages are reported as affected by govulncheck (meaning that the callgraph contains at least one of the vulnerable symbols):

SUSE:ALP:Source:Standard:1.0/velociraptor
SUSE:ALP:Source:Standard:1.0/buildkit
SUSE:SLE-15-SP2:Update/terraform-provider-aws
SUSE:SLE-15-SP4:Update/cosign
SUSE:SLE-15-SP4:Update/rekor