{"id":"MGASA-2024-0004","summary":"Updated dropbear package fixes a security vulnerability","details":"Parts of the SSH specification are vulnerable to a novel prefix\ntruncation attack (a.k.a. Terrapin attack), which allows a\nman-in-the-middle attacker to strip an arbitrary number of messages\nright after the initial key exchange, breaking SSH extension negotiation\n(RFC8308) in the process and thus downgrading connection security.\n### Mitigations\nTo mitigate this protocol vulnerability, OpenSSH suggested a so-called\n\"strict kex\" which alters the SSH handshake to ensure a\nMan-in-the-Middle attacker cannot introduce unauthenticated messages as\nwell as convey sequence number manipulation across handshakes. Support\nfor strict key exchange has been added to a variety of SSH\nimplementations, including OpenSSH itself, PuTTY, libssh, and more.\nThis release includes a patch to implement Strict KEX mode.\n","modified":"2026-04-16T04:41:27.399047786Z","published":"2024-01-08T19:01:05Z","upstream":["CVE-2023-48795"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2024-0004.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=32656"},{"type":"WEB","url":"https://github.com/mkj/dropbear/commit/6e43be5c7b99dbee49dc72b6f989f29fdd7e9356"}],"affected":[{"package":{"name":"dropbear","ecosystem":"Mageia:9","purl":"pkg:rpm/mageia/dropbear?arch=source&distro=mageia-9"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2022.83-2.1.mga9"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2024-0004.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}