Terrapin attack: prefix truncation vulnerability affecting ssh implementations allowing MitM attackers to drop packets (CVE-2023-48795)
Terrapin is a prefix truncation attack targeting the SSH protocol. More precisely, Terrapin breaks the integrity of SSH's secure channel. By carefully adjusting the sequence numbers during the handshake, an attacker can remove an arbitrary amount of messages sent by the client or server at the beginning of the secure channel without the client or server noticing it.
https://security.alpinelinux.org/vuln/CVE-2023-48795
main/
:
Affacted in (checked boxes indicate the issue has been addressed)
-
openssh (commit 1, commit 2, 9.6p1) -
edge -
3.19-stable -
3.18-stable -
3.17-stable -
3.16-stable
-
-
dropbear (commit) -
edge -
3.19-stable -
3.18-stable -
3.17-stable -
3.16-stable
-
-
libssh2 (commit) -
edge -
3.19-stable -
3.18-stable -
3.17-stable -
3.16-stable
-
-
putty 0.80 -
edge -
3.19-stable -
3.18-stable -
3.17-stable -
3.16-stable
-
community/
:
Affected in (checked boxes indicate the issue has been addressed)
-
erlang (changelog, 26.2.1) -
edge -
3.19-stable
-
-
libssh (0.10.6) -
edge -
3.19-stable
-
-
java (article) -
russh rust crate (v0.40.2) -
py3-paramiko (issue, changelog, 3.4.0) -
edge -
3.19-stable
-
-
py3-asyncssh (changelog, 2.14.2) -
edge -
3.19-stable
-
-
proftpd 1.3.8b -
edge -
3.19-stable -
3.18-stable -
3.17-stable -
3.16-stable
-
-
tinyssh (issue, commit) -
edge -
3.19-stable
-
-
pijul (change) -
edge -
3.19-stable
-
-
filezilla (3.66.4) -
edge -
3.19-stable
-
community/
using golang.org/x/crypto/ssh (issue, change, commit)
Affected in -
podman -
edge -
3.19-stable
-
-
buildah (commit) -
edge -
3.19-stable
-
-
doctl (commit, 1.102.0) -
edge -
3.19-stable
-
-
podman-tui (commit, 0.15.0) -
edge -
3.19-stable
-
-
nebula (commit, 1.8.1) -
edge -
3.19-stable
-
-
gitea (commit, 1.21.3) -
edge -
3.19-stable
-
commit, v0.40.2)
Affected using russh rust crate (Edited by Natanael Copa