[SECURITY] [DLA 3718-1] php-phpseclib security update

2024-01-2502:26:07

lists.debian.org

php-phpseclib

terrapin attack

cve-2023-48795

ssh protocol

security update

debian 10

openssh extensions

CVSS3

5.9

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

AI Score

6.9

Confidence

High

EPSS

0.965

Percentile

99.6%

JSON

Debian LTS Advisory DLA-3718-1 [email protected]
https://www.debian.org/lts/security/ Guilhem Moulin
January 25, 2024 https://wiki.debian.org/LTS

Package : php-phpseclib
Version : 2.0.30-2~deb10u2
CVE ID : CVE-2023-48795

It was discovered that php-phpseclib, a PHP library for
arbitrary-precision integer arithmetic, was vulnerable to the so-called
Terrapin Attack.

The SSH transport protocol with certain OpenSSH extensions, allows
remote attackers to bypass integrity checks such that some packets are
omitted (from the extension negotiation message), and a client and
server may consequently end up with a connection for which some security
features have been downgraded or disabled, aka a Terrapin attack. This
occurs because the SSH Binary Packet Protocol (BPP), implemented by
these extensions, mishandles the handshake phase and mishandles use of
sequence numbers. For example, there is an effective attack against
SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC).

For Debian 10 buster, this problem has been fixed in version
2.0.30-2~deb10u2.

We recommend that you upgrade your php-phpseclib packages.

For the detailed security status of php-phpseclib please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/php-phpseclib

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
Attachment:
signature.asc
Description: PGP signature

OSVersionArchitecturePackageVersionFilename
Debian11arm64filezilla< 3.52.2-3+deb11u1filezilla_3.52.2-3+deb11u1_arm64.deb
Debian12armhfproftpd-mod-odbc< 1.3.8+dfsg-4+deb12u3proftpd-mod-odbc_1.3.8+dfsg-4+deb12u3_armhf.deb
Debian10i386pterm-dbgsym< 0.74-1+deb11u1~deb10u1pterm-dbgsym_0.74-1+deb11u1~deb10u1_i386.deb
Debian11amd64libssh-gcrypt-4-dbgsym< 0.9.8-0+deb11u1libssh-gcrypt-4-dbgsym_0.9.8-0+deb11u1_amd64.deb
Debian11amd64libssh-gcrypt-4< 0.9.8-0+deb11u1libssh-gcrypt-4_0.9.8-0+deb11u1_amd64.deb
Debian12amd64libssh-dev< 0.10.6-0+deb12u1libssh-dev_0.10.6-0+deb12u1_amd64.deb
Debian12armhffilezilla-dbgsym< 3.63.0-1+deb12u3filezilla-dbgsym_3.63.0-1+deb12u3_armhf.deb
Debian12amd64openssh-sftp-server< 1:9.2p1-2+deb12u2openssh-sftp-server_1:9.2p1-2+deb12u2_amd64.deb
Debian12amd64proftpd-mod-mysql< 1.3.8+dfsg-4+deb12u3proftpd-mod-mysql_1.3.8+dfsg-4+deb12u3_amd64.deb
Debian12s390xdropbear-bin< 2022.83-1+deb12u1dropbear-bin_2022.83-1+deb12u1_s390x.deb

OS	Version	Architecture	Package	Version	Filename
Debian	11	arm64	filezilla	< 3.52.2-3+deb11u1	filezilla_3.52.2-3+deb11u1_arm64.deb
Debian	12	armhf	proftpd-mod-odbc	< 1.3.8+dfsg-4+deb12u3	proftpd-mod-odbc_1.3.8+dfsg-4+deb12u3_armhf.deb
Debian	10	i386	pterm-dbgsym	< 0.74-1+deb11u1~deb10u1	pterm-dbgsym_0.74-1+deb11u1~deb10u1_i386.deb
Debian	11	amd64	libssh-gcrypt-4-dbgsym	< 0.9.8-0+deb11u1	libssh-gcrypt-4-dbgsym_0.9.8-0+deb11u1_amd64.deb
Debian	11	amd64	libssh-gcrypt-4	< 0.9.8-0+deb11u1	libssh-gcrypt-4_0.9.8-0+deb11u1_amd64.deb
Debian	12	amd64	libssh-dev	< 0.10.6-0+deb12u1	libssh-dev_0.10.6-0+deb12u1_amd64.deb
Debian	12	armhf	filezilla-dbgsym	< 3.63.0-1+deb12u3	filezilla-dbgsym_3.63.0-1+deb12u3_armhf.deb
Debian	12	amd64	openssh-sftp-server	< 1:9.2p1-2+deb12u2	openssh-sftp-server_1:9.2p1-2+deb12u2_amd64.deb
Debian	12	amd64	proftpd-mod-mysql	< 1.3.8+dfsg-4+deb12u3	proftpd-mod-mysql_1.3.8+dfsg-4+deb12u3_amd64.deb
Debian	12	s390x	dropbear-bin	< 2022.83-1+deb12u1	dropbear-bin_2022.83-1+deb12u1_s390x.deb