USN 6561-1 libssh vulnerability
Severity
medium
Vendor
VMware Tanzu
Versions Affected
- Canonical Ubuntu 22.04
Description
Fabian Bäumer, Marcus Brinkmann, Jörg Schwenk discovered that the SSH protocol was vulnerable to a prefix truncation attack. If a remote attacker was able to intercept SSH communications, extension negotiation messages could be truncated, possibly leading to certain algorithms and features being downgraded. This issue is known as the Terrapin attack. This update adds protocol extensions to mitigate this issue. Update Instructions: Run `sudo pro fix USN-6561-1` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libssh-gcrypt-dev - 0.9.3-2ubuntu2.4 libssh-4 - 0.9.3-2ubuntu2.4 libssh-gcrypt-4 - 0.9.3-2ubuntu2.4 libssh-dev - 0.9.3-2ubuntu2.4 libssh-doc - 0.9.3-2ubuntu2.4 No subscription required.
Fixed VMware Products and Versions
- Cflinuxfs4
- All+1.62.0 or greater
- Isolation Segment
- 4.0.15+LTS-T or greater
- 5.0.5 or greater
- Operations Manager
- 3.0.23+LTS-T or greater
- VMware Tanzu Application Service for VMs
- 4.0.15+LTS-T or greater
- 5.0.6 or greater
- Jammy Stemcells
- 1.340 or greater
References
https://ubuntu.com/security/notices/USN-6561-1
https://www.cloudfoundry.org/blog/usn-6561-1
https://cve.mitre.org/cgi-bin/cvename.cgi?name=usn-6561-1
History
2023-12-19: Initial vulnerability report published.