diff options
| author | Salvatore Bonaccorso <carnil@debian.org> | 2023-12-21 17:01:57 +0100 |
|---|---|---|
| committer | Salvatore Bonaccorso <carnil@debian.org> | 2023-12-21 17:01:57 +0100 |
| commit | 2f9b1d76b49ce0061f6cf9c567a0757192565fdf (patch) | |
| tree | 94b5d0ec9fe99f8ca221424768d4c466d49f39ab | |
| parent | 9a1eec858c2d864b41e19defb8e3112f024ffc31 (diff) | |
Mark CVE-2023-48795/tinyssh as unimportant and add explaining NOTE
| -rw-r--r-- | data/CVE/list | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/data/CVE/list b/data/CVE/list index 2e7be4458f..9fc855aec0 100644 --- a/data/CVE/list +++ b/data/CVE/list @@ -712,7 +712,7 @@ CVE-2023-48795 (The SSH transport protocol with certain OpenSSH extensions, foun - proftpd-mod-proxy <unfixed> - putty 0.80-1 - python-asyncssh <unfixed> (bug #1059007) - - tinyssh 20230101-4 (bug #1059058) + - tinyssh 20230101-4 (bug #1059058; unimportant) - trilead-ssh2 <unfixed> NOTE: https://terrapin-attack.com/ NOTE: https://www.openwall.com/lists/oss-security/2023/12/18/3 @@ -749,6 +749,10 @@ CVE-2023-48795 (The SSH transport protocol with certain OpenSSH extensions, foun NOTE: asyncssh: https://github.com/ronf/asyncssh/commit/0bc73254f41acb140187e0c89606311f88de5b7b (v2.14.2) NOTE: tinyssh: https://github.com/janmojzis/tinyssh/issues/81 NOTE: tinyssh: https://github.com/janmojzis/tinyssh/commit/ebaa1bd23c2c548af70cc8151e85c74f4c8594bb + NOTE: tinyssh: 20230101-4 implements kex-strict-s-v00@openssh.com for the strict kex support. But + NOTE: since there is no support for EXT_INFO in tinyssh, even with the present chacha20-poly1305@openssh.com + NOTE: encryption algorith, there is no downgrade of the connection security. An attack might result in + NOTE: hanging or breaking connction. CVE-2023-41314 (The api /api/snapshot and /api/get_log_file would allow unauthenticate ...) NOT-FOR-US: Apache Doris CVE-2023-6909 (Path Traversal: '\..\filename' in GitHub repository mlflow/mlflow prio ...) |