From 2f9b1d76b49ce0061f6cf9c567a0757192565fdf Mon Sep 17 00:00:00 2001 From: Salvatore Bonaccorso Date: Thu, 21 Dec 2023 17:01:57 +0100 Subject: Mark CVE-2023-48795/tinyssh as unimportant and add explaining NOTE --- data/CVE/list | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/data/CVE/list b/data/CVE/list index 2e7be4458f..9fc855aec0 100644 --- a/data/CVE/list +++ b/data/CVE/list @@ -712,7 +712,7 @@ CVE-2023-48795 (The SSH transport protocol with certain OpenSSH extensions, foun - proftpd-mod-proxy - putty 0.80-1 - python-asyncssh (bug #1059007) - - tinyssh 20230101-4 (bug #1059058) + - tinyssh 20230101-4 (bug #1059058; unimportant) - trilead-ssh2 NOTE: https://terrapin-attack.com/ NOTE: https://www.openwall.com/lists/oss-security/2023/12/18/3 @@ -749,6 +749,10 @@ CVE-2023-48795 (The SSH transport protocol with certain OpenSSH extensions, foun NOTE: asyncssh: https://github.com/ronf/asyncssh/commit/0bc73254f41acb140187e0c89606311f88de5b7b (v2.14.2) NOTE: tinyssh: https://github.com/janmojzis/tinyssh/issues/81 NOTE: tinyssh: https://github.com/janmojzis/tinyssh/commit/ebaa1bd23c2c548af70cc8151e85c74f4c8594bb + NOTE: tinyssh: 20230101-4 implements kex-strict-s-v00@openssh.com for the strict kex support. But + NOTE: since there is no support for EXT_INFO in tinyssh, even with the present chacha20-poly1305@openssh.com + NOTE: encryption algorith, there is no downgrade of the connection security. An attack might result in + NOTE: hanging or breaking connction. CVE-2023-41314 (The api /api/snapshot and /api/get_log_file would allow unauthenticate ...) NOT-FOR-US: Apache Doris CVE-2023-6909 (Path Traversal: '\..\filename' in GitHub repository mlflow/mlflow prio ...) -- cgit v1.2.3