-------------------------------------------------------------------------
Debian LTS Advisory DLA-3899-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                       Daniel Leidert
September 27, 2024                            https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package        : python-asyncssh
Version        : 2.5.0-0.1+deb11u1
CVE ID         : CVE-2023-46445 CVE-2023-46446 CVE-2023-48795
Debian Bug     : 1055999 1056000 1059007

AsyncSSH is a Python package which provides an asynchronous client
and server implementation of the SSHv2 protocol on top of the Python
3.4+ asyncio framework. It has been discovered that it is vulnerable to

CVE-2023-46445

    A vulnerability has been discovered that allows attackers to control
    the extension info message (RFC 8308) via a man-in-the-middle attack
    (aka Rogue Extension Negotiation).

CVE-2023-46446

    A vulnerability has been discovered that allows attackers to control
    the remote end of an SSH client session via packet injection/removal
    and shell emulation (aka Rogue Session attack).

CVE-2023-48795

    A vulnerability has been discovered allows remote attackers to bypass
    integrity checks, and a client and server may consequently end up with
    a connection for which some security features have been downgraded or
    disabled (aka Terrapin attack).

For Debian 11 bullseye, these problems have been fixed in version
2.5.0-0.1+deb11u1.

We recommend that you upgrade your python-asyncssh packages.

For the detailed security status of python-asyncssh please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/python-asyncssh

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS