Bug 1218206 - VUL-0: CVE-2023-48795: rekor: golang.org/x/crypto/ssh: prefix truncation breaking ssh channel integrity
Summary: VUL-0: CVE-2023-48795: rekor: golang.org/x/crypto/ssh: prefix truncation brea...
Status: RESOLVED FIXED
Alias: None
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Critical
Target Milestone: ---
Assignee: Marcus Meissner
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/387549/
Whiteboard:
Keywords:
Depends on:
Blocks: 1218150
  Show dependency treegraph
 
Reported: 2023-12-19 13:14 UTC by Thomas Leroy
Modified: 2024-02-14 15:11 UTC (History)
0 users

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Thomas Leroy 2023-12-19 13:19:01 UTC 
SUSE:SLE-15-SP4:Update/rekor uses a a vulnerable version of crypto/ssh package
Comment 2 Marcus Meissner 2023-12-19 15:29:23 UTC 
go ssh dep was already bumpoed in rekor git. let see if they cut a release the next days.
Comment 3 Marcus Meissner 2024-02-14 15:11:28 UTC 
was released