Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

dropbear: T6195: package upgrade 2022.83-1+deb12u1 #547

Merged
merged 3 commits into from
Apr 1, 2024
Merged

dropbear: T6195: package upgrade 2022.83-1+deb12u1 #547

merged 3 commits into from
Apr 1, 2024

Conversation

c-po
Copy link
Member

@c-po c-po commented Apr 1, 2024

Change Summary

Fix CVE-2023-48795: (terrapin attack)

The SSH transport protocol with certain OpenSSH extensions allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack.

Also no longer upload build dependency files to the repo

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Code style update (formatting, renaming)
  • Refactoring (no functional changes)
  • Migration from an old Vyatta component to vyos-1x, please link to related PR inside obsoleted component
  • Other (please describe):

Related Task(s)

Component(s) name

dropbear

Proposed changes

How to test

Checklist:

  • I have read the CONTRIBUTING document
  • I have linked this PR to one or more Phabricator Task(s)
  • My commit headlines contain a valid Task id
  • My change requires a change to the documentation
  • I have updated the documentation accordingly

c-po added 2 commits April 1, 2024 16:05
@c-po
Jenkins: remove Debian build dependency files from the workspace
adab6ba 
No need to provide them via the package repository
@c-po
dropbear: T6195: package upgrade 2022.83-1+deb12u1
b17befe 
Fix CVE-2023-48795: (terrapin attack)

The SSH transport protocol with certain OpenSSH extensions allows remote
attackers to bypass integrity checks such that some packets are omitted (from
the extension negotiation message), and a client and server may consequently
end up with a connection for which some security features have been downgraded
or disabled, aka a Terrapin attack.
@vyosbot vyosbot requested review from a team, dmbaturin, sarthurdev, zdc, jestabro and sever-sever and removed request for a team April 1, 2024 14:10
@c-po
Copy link
Member Author

c-po commented Apr 1, 2024

@Mergifyio backport sagitta

@c-po c-po merged commit d9dd56f into vyos:current Apr 1, 2024
2 of 3 checks passed
@c-po c-po deleted the dropbear branch April 1, 2024 14:11
@mergify Mergify
Copy link

mergify bot commented Apr 1, 2024
edited
Loading

backport sagitta

✅ Backports have been created

@mergify mergify bot mentioned this pull request Apr 1, 2024
Merged
11 tasks
c-po added a commit that referenced this pull request Apr 1, 2024
@c-po
Merge pull request #548 from vyos/mergify/bp/sagitta/pr-547
3d771a3 
dropbear: T6195: package upgrade 2022.83-1+deb12u1 (backport #547)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dmbaturin dmbaturin Awaiting requested review from dmbaturin dmbaturin is a code owner automatically assigned from vyos/reviewers

@sarthurdev sarthurdev Awaiting requested review from sarthurdev sarthurdev is a code owner automatically assigned from vyos/reviewers

@zdc zdc Awaiting requested review from zdc zdc is a code owner automatically assigned from vyos/reviewers

@jestabro jestabro Awaiting requested review from jestabro jestabro is a code owner automatically assigned from vyos/reviewers

@sever-sever sever-sever Awaiting requested review from sever-sever sever-sever is a code owner automatically assigned from vyos/reviewers

Assignees

@c-po c-po

Labels
current
Milestone
No milestone
1 participant
@c-po