Date: Tue, 2 Jan 2024 06:11:26 GMT From: Philip Paeps <philip@FreeBSD.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org Subject: git: 389df91bd852 - main - security/vuxml: add FreeBSD SA released on 2023-12-19 Message-ID: <202401020611.4026BQh0056161@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by philip: URL: https://cgit.FreeBSD.org/ports/commit/?id=389df91bd85232fc354db2e569477111feefabb3 commit 389df91bd85232fc354db2e569477111feefabb3 Author: Philip Paeps <philip@FreeBSD.org> AuthorDate: 2024-01-02 06:11:10 +0000 Commit: Philip Paeps <philip@FreeBSD.org> CommitDate: 2024-01-02 06:11:10 +0000 security/vuxml: add FreeBSD SA released on 2023-12-19 FreeBSD-SA-23:19.openssl affects all supported releases of FreeBSD. FreeBSD 12.4 reached its end of life at the end of December 2023. Users are encouraged to either implement the documented workaround or leverage an up to date version of OpenSSH from the ports/pkg collection. --- security/vuxml/vuln/2024.xml | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) diff --git a/security/vuxml/vuln/2024.xml b/security/vuxml/vuln/2024.xml new file mode 100644 index 000000000000..82db275e300c --- /dev/null +++ b/security/vuxml/vuln/2024.xml @@ -0,0 +1,33 @@ + <vuln vid="13d83980-9f18-11ee-8e38-002590c1f29c"> + <topic>FreeBSD -- Prefix Truncation Attack in the SSH protocol</topic> + <affects> + <package> + <name>FreeBSD</name> + <range><ge>14.0</ge><lt>14.0_4</lt></range> + <range><ge>13.2</ge><lt>13.2_9</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <h1>Problem Description:</h1> + <p>The SSH protocol executes an initial handshake between the + server and the client. This protocol handshake includes the + possibility of several extensions allowing different options to be + selected. Validation of the packets in the handshake is done through + sequence numbers.</p> + <h1>Impact:</h1> + <p>A man in the middle attacker can silently manipulate handshake + messages to truncate extension negotiation messages potentially + leading to less secure client authentication algorithms or deactivating + keystroke timing attack countermeasures.</p> + </body> + </description> + <references> + <cvename>CVE-2023-48795</cvename> + <freebsdsa>SA-23:19.openssh</freebsdsa> + </references> + <dates> + <discovery>2023-12-19</discovery> + <entry>2024-01-02</entry> + </dates> + </vuln>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202401020611.4026BQh0056161>