Bug 1218168 - VUL-0: CVE-2023-48795: python-paramiko: prefix truncation breaking ssh channel integrity aka Terrapin Attack
Summary: VUL-0: CVE-2023-48795: python-paramiko: prefix truncation breaking ssh channe...
Status: RESOLVED FIXED
Alias: None
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Critical
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/387549/
Whiteboard:
Keywords:
Depends on:
Blocks: CVE-2023-48795
  Show dependency treegraph
 
Reported: 2023-12-18 16:21 UTC by Marcus Meissner
Modified: 2024-05-16 13:50 UTC (History)
13 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2023-12-18 16:21:15 UTC 
python-paramiko is also a SSH v2 implementation in python.

It supports ETM MACs, so is also affected by the Terrapin attack most likely.
Comment 2 OBSbugzilla Bot 2023-12-19 07:35:04 UTC 
This is an autogenerated message for OBS integration:
This bug (1218168) was mentioned in
https://build.opensuse.org/request/show/1133954 Factory / python-paramiko
Comment 3 Marcus Meissner 2023-12-19 08:00:51 UTC 
as far as I see python-paramiko  starting from SLES 15 SP4+ have etm MACs.

SUSE:SLE-15-SP4:Update python-paramiko
SUSE:ALP:Source:Standard:1.0                                python-paramiko

affected
Comment 5 OBSbugzilla Bot 2023-12-20 09:35:02 UTC 
This is an autogenerated message for OBS integration:
This bug (1218168) was mentioned in
https://build.opensuse.org/request/show/1134140 Factory / python-paramiko
Comment 8 Maintenance Automation 2024-01-05 12:30:02 UTC 
SUSE-SU-2024:0035-1: An update that solves one vulnerability can now be installed.

Category: security (important)
Bug References: 1218168
CVE References: CVE-2023-48795
Sources used:
openSUSE Leap 15.4 (src): python-paramiko-3.4.0-150400.13.6.1
openSUSE Leap 15.5 (src): python-paramiko-3.4.0-150400.13.6.1
Python 3 Module 15-SP5 (src): python-paramiko-3.4.0-150400.13.6.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src): python-paramiko-3.4.0-150400.13.6.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src): python-paramiko-3.4.0-150400.13.6.1
SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 (src): python-paramiko-3.4.0-150400.13.6.1
SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (src): python-paramiko-3.4.0-150400.13.6.1
SUSE Linux Enterprise Server for SAP Applications 15 SP4 (src): python-paramiko-3.4.0-150400.13.6.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 Marcus Meissner 2024-01-08 10:16:26 UTC 
fixed