Summary: | [Tracker] Terrapin Vulnerability | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Christopher Fore <csfore> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | CONFIRMED --- | ||
Severity: | normal | CC: | base-system, d, embedded, hanno |
Priority: | Normal | Keywords: | Tracker |
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://terrapin-attack.com/ | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 920293, 920299, 920304, 920385, 920421, 920682, 921290, 930152, 920291, 920292 | ||
Bug Blocks: |
Description
Christopher Fore
2023-12-18 17:03:28 UTC
I've used the following command to mitigate on the client side: sed -i "1i Ciphers -$(ssh -Q cipher | grep -e chacha20-poly1305@openssh.com -e -cbc | paste -d, -s -)" ~/.ssh/config In my case, the following line got added before the first line of the file: Ciphers -3des-cbc,aes128-cbc,aes192-cbc,aes256-cbc,chacha20-poly1305@openssh.com CVE-2023-46445 and CVE-2023-46446 are issues in AsyncSSH, which Gentoo has not packaged, so I believe they are irellevant here. Only CVE-2023-48795 refers to the Terrapin vulnerability in the SSH protocol itself that affects pretty much every SSH implementation. Why was kde proj CCed here at all? (In reply to Andreas Sturmlechner from comment #3) > Why was kde proj CCed here at all? Looks it it might have carried over from this bug: https://bugs.gentoo.org/920291 |