Medium
Canonical Ubuntu
Fabian Bäumer, Marcus Brinkmann, Jörg Schwenk discovered that the SSH protocol was vulnerable to a prefix truncation attack. If a remote attacker was able to intercept SSH communications, extension negotiation messages could be truncated, possibly leading to certain algorithms and features being downgraded. This issue is known as the Terrapin attack. This update adds protocol extensions to mitigate this issue. Update Instructions: Run sudo pro fix USN-6561-1
to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libssh-gcrypt-dev – 0.9.3-2ubuntu2.4 libssh-4 – 0.9.3-2ubuntu2.4 libssh-gcrypt-4 – 0.9.3-2ubuntu2.4 libssh-dev – 0.9.3-2ubuntu2.4 libssh-doc – 0.9.3-2ubuntu2.4 No subscription required
CVEs contained in this USN include: CVE-2023-48795.
Severity is medium unless otherwise noted.
Users of affected products are strongly encouraged to follow the mitigations below.
The Cloud Foundry project recommends upgrading the following releases:
2024-04-04: Initial vulnerability report published.
CPE | Name | Operator | Version |
---|---|---|---|
cflinuxfs4 | lt | 1.62.0 | |
jammy stemcells | lt | 1.340 | |
cf deployment | lt | 1.340 |