[{"vendor":"Siemens","product":"RUGGEDCOM APE1808","defaultStatus":"unknown","versions":[{"version":"0","lessThan":"*","versionType":"custom","status":"affected"}]},{"vendor":"Siemens","product":"SIMATIC S7-1500 CPU 1518-4 PN/DP MFP","defaultStatus":"unknown","versions":[{"version":"V3.1.5","lessThan":"*","versionType":"custom","status":"affected"}]},{"vendor":"Siemens","product":"SIMATIC S7-1500 CPU 1518-4 PN/DP MFP","defaultStatus":"unknown","versions":[{"version":"V3.1.5","lessThan":"*","versionType":"custom","status":"affected"}]},{"vendor":"Siemens","product":"SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP","defaultStatus":"unknown","versions":[{"version":"V3.1.5","lessThan":"*","versionType":"custom","status":"affected"}]},{"vendor":"Siemens","product":"SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP","defaultStatus":"unknown","versions":[{"version":"V3.1.5","lessThan":"*","versionType":"custom","status":"affected"}]},{"vendor":"Siemens","product":"SIPLUS S7-1500 CPU 1518-4 PN/DP MFP","defaultStatus":"unknown","versions":[{"version":"V3.1.5","lessThan":"*","versionType":"custom","status":"affected"}]}]

{"timestamp":"2023-12-22T05:01:05.519910Z","id":"CVE-2023-48795","options":[{"exploitation":"poc"},{"automatable":"no"},{"technicalImpact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}

[{"vendor":"n/a","product":"n/a","versions":[{"version":"n/a","status":"affected"}]}]

https://cert-portal.siemens.com/productcert/html/ssa-082556.html

https://cert-portal.siemens.com/productcert/html/ssa-364175.html

https://cert-portal.siemens.com/productcert/html/ssa-769027.html

https://cert-portal.siemens.com/productcert/html/ssa-794697.html

https://cert-portal.siemens.com/productcert/html/ssa-915275.html

https://lists.fedoraproject.org/archives/list/[email protected]/message/33XHJUB6ROFUOH2OQNENFROTVH6MHSHA/

https://lists.fedoraproject.org/archives/list/[email protected]/message/HYEDEXIKFKTUJIN43RG4B7T5ZS6MHUSP/

https://lists.fedoraproject.org/archives/list/[email protected]/message/3JIMLVBDWOP4FUPXPTB4PGHHIOMGFLQE/

https://lists.fedoraproject.org/archives/list/[email protected]/message/3YQLUQWLIHDB5QCXQEX7HXHAWMOKPP5O/

https://lists.fedoraproject.org/archives/list/[email protected]/message/6Y74KVCPEPT4MVU3LHDWCNNOXOE5ZLUR/

https://lists.fedoraproject.org/archives/list/[email protected]/message/APYIXIQOVDCRWLHTGB4VYMAUIAQLKYJ3/

https://lists.fedoraproject.org/archives/list/[email protected]/message/C3AFMZ6MH2UHHOPIWT5YLSFV3D2VB3AC/

https://lists.fedoraproject.org/archives/list/[email protected]/message/I724O3LSRCPO4WNVIXTZCT4VVRMXMMSG/

https://lists.fedoraproject.org/archives/list/[email protected]/message/L5Y6MNNVAPIJSXJERQ6PKZVCIUXSNJK7/

https://lists.fedoraproject.org/archives/list/[email protected]/message/LZQVUHWVWRH73YBXUQJOD6CKHDQBU3DM/

https://lists.fedoraproject.org/archives/list/[email protected]/message/MKQRBF3DWMWPH36LBCOBUTSIZRTPEZXB/

https://lists.debian.org/debian-lts-announce/2024/09/msg00042.html

https://lists.debian.org/debian-lts-announce/2024/11/msg00032.html

https://lists.debian.org/debian-lts-announce/2025/04/msg00028.html

AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE-354

OR
 *cpe:2.3:a:erlang:erlang/otp:*:*:*:*:*:*:*:* versions up to (excluding) 26.2.1

OR
 *cpe:2.3:a:erlang:erlang/otp:*:*:*:*:*:*:*:* versions up to (excluding) 22.3.4.27
 *cpe:2.3:a:erlang:erlang/otp:*:*:*:*:*:*:*:* versions from (including) 23.0 up to (excluding) 23.3.4.20
 *cpe:2.3:a:erlang:erlang/otp:*:*:*:*:*:*:*:* versions from (including) 24.0 up to (excluding) 24.3.4.15
 *cpe:2.3:a:erlang:erlang/otp:*:*:*:*:*:*:*:* versions from (including) 25.0 up to (excluding) 25.3.2.8
 *cpe:2.3:a:erlang:erlang/otp:*:*:*:*:*:*:*:* versions from (including) 26.0 up to (excluding) 26.2.1

OR
 *cpe:2.3:a:ssh:ssh:*:*:*:*:*:*:*:* versions up to (excluding) 5.11

OR
 *cpe:2.3:a:ssh:ssh:*:*:*:*:*:*:*:* versions up to (excluding) 4.9.1.5
 *cpe:2.3:a:ssh:ssh:*:*:*:*:*:*:*:* versions from (including) 4.10 up to (excluding) 4.11.1.7
 *cpe:2.3:a:ssh:ssh:*:*:*:*:*:*:*:* versions from (including) 4.12 up to (excluding) 4.13.2.4
 *cpe:2.3:a:ssh:ssh:*:*:*:*:*:*:*:* versions from (including) 4.14 up to (excluding) 4.15.3.1
 *cpe:2.3:a:ssh:ssh:*:*:*:*:*:*:*:* versions from (including) 5.0 up to (excluding) 5.1.1

OR
 *cpe:2.3:a:microsoft:powershell:*:*:*:*:*:*:*:* versions up to (including) 11.1.0

CVE: https://www.vicarius.io/vsociety/posts/cve-2023-48795-detect-openssh-vulnerabilit Types: Exploit, Third Party Advisory

CVE: https://www.vicarius.io/vsociety/posts/cve-2023-48795-mitigate-openssh-vulnerability Types: Exploit, Third Party Advisory

https://www.vicarius.io/vsociety/posts/cve-2023-48795-detect-openssh-vulnerabilit

https://www.vicarius.io/vsociety/posts/cve-2023-48795-mitigate-openssh-vulnerability

OR
 *cpe:2.3:a:libssh2:libssh2:*:*:*:*:*:*:*:* versions up to (excluding) 1.11.10

OR
 *cpe:2.3:a:libssh2:libssh2:*:*:*:*:*:*:*:* versions up to (excluding) 1.11.1

http://www.openwall.com/lists/oss-security/2024/03/06/3 No Types Assigned

http://www.openwall.com/lists/oss-security/2024/03/06/3 Mailing List

http://www.openwall.com/lists/oss-security/2024/03/06/3 No Types Assigned

http://www.openwall.com/lists/oss-security/2024/03/06/3 Mailing List

http://www.openwall.com/lists/oss-security/2024/04/17/8 No Types Assigned

http://www.openwall.com/lists/oss-security/2024/04/17/8 Mailing List

http://www.openwall.com/lists/oss-security/2024/04/17/8 No Types Assigned

http://www.openwall.com/lists/oss-security/2024/04/17/8 Mailing List

http://packetstormsecurity.com/files/176280/Terrapin-SSH-Connection-Weakening.html

http://seclists.org/fulldisclosure/2024/Mar/21

http://www.openwall.com/lists/oss-security/2023/12/18/3

http://www.openwall.com/lists/oss-security/2023/12/19/5

http://www.openwall.com/lists/oss-security/2023/12/20/3

http://www.openwall.com/lists/oss-security/2024/03/06/3

http://www.openwall.com/lists/oss-security/2024/04/17/8

https://access.redhat.com/security/cve/cve-2023-48795

https://arstechnica.com/security/2023/12/hackers-can-break-ssh-channel-integrity-using-novel-data-corruption-attack/

https://bugs.gentoo.org/920280

https://bugzilla.redhat.com/show_bug.cgi?id=2254210

https://bugzilla.suse.com/show_bug.cgi?id=1217950

https://crates.io/crates/thrussh/versions

https://filezilla-project.org/versions.php

https://forum.netgate.com/topic/184941/terrapin-ssh-attack

https://git.libssh.org/projects/libssh.git/commit/?h=stable-0.10&id=10e09e273f69e149389b3e0e5d44b8c221c2e7f6

https://github.com/NixOS/nixpkgs/pull/275249

https://github.com/PowerShell/Win32-OpenSSH/issues/2189

https://github.com/PowerShell/Win32-OpenSSH/releases/tag/v9.5.0.0p1-Beta

https://github.com/TeraTermProject/teraterm/commit/7279fbd6ef4d0c8bdd6a90af4ada2899d786eec0

https://github.com/TeraTermProject/teraterm/releases/tag/v5.1

https://github.com/advisories/GHSA-45x7-px36-x8w8

https://github.com/apache/mina-sshd/issues/445

https://github.com/connectbot/sshlib/commit/5c8b534f6e97db7ac0e0e579331213aa25c173ab

https://github.com/connectbot/sshlib/compare/2.2.21...2.2.22

https://github.com/cyd01/KiTTY/issues/520

https://github.com/drakkan/sftpgo/releases/tag/v2.5.6

https://github.com/erlang/otp/blob/d1b43dc0f1361d2ad67601169e90a7fc50bb0369/lib/ssh/doc/src/notes.xml#L39-L42

https://github.com/erlang/otp/releases/tag/OTP-26.2.1

https://github.com/golang/crypto/commit/9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d

https://github.com/hierynomus/sshj/issues/916

https://github.com/janmojzis/tinyssh/issues/81

https://github.com/jtesta/ssh-audit/commit/8e972c5e94b460379fe0c7d20209c16df81538a5

https://github.com/libssh2/libssh2/pull/1291

https://github.com/mkj/dropbear/blob/17657c36cce6df7716d5ff151ec09a665382d5dd/CHANGES#L25

https://github.com/mscdex/ssh2/commit/97b223f8891b96d6fc054df5ab1d5a1a545da2a3

https://github.com/mwiede/jsch/compare/jsch-0.2.14...jsch-0.2.15

https://github.com/mwiede/jsch/issues/457

https://github.com/mwiede/jsch/pull/461

https://github.com/net-ssh/net-ssh/blob/2e65064a52d73396bfc3806c9196fc8108f33cd8/CHANGES.txt#L14-L16

https://github.com/openssh/openssh-portable/commits/master

https://github.com/paramiko/paramiko/issues/2337

https://github.com/proftpd/proftpd/blob/0a7ea9b0ba9fcdf368374a226370d08f10397d99/RELEASE_NOTES

https://github.com/proftpd/proftpd/blob/d21e7a2e47e9b38f709bec58e3fa711f759ad0e1/RELEASE_NOTES

https://github.com/proftpd/proftpd/blob/master/RELEASE_NOTES

https://github.com/proftpd/proftpd/issues/456

https://github.com/rapier1/hpn-ssh/releases

https://github.com/ronf/asyncssh/blob/develop/docs/changes.rst

https://github.com/ronf/asyncssh/tags

https://github.com/ssh-mitm/ssh-mitm/issues/165

https://github.com/warp-tech/russh/releases/tag/v0.40.2

https://gitlab.com/libssh/libssh-mirror/-/tags

https://groups.google.com/g/golang-announce/c/-n5WqVC18LQ

https://groups.google.com/g/golang-announce/c/qA3XtxvMUyg

https://help.panic.com/releasenotes/transmit5/

https://jadaptive.com/important-java-ssh-security-update-new-ssh-vulnerability-discovered-cve-2023-48795/

https://lists.debian.org/debian-lts-announce/2023/12/msg00017.html

https://lists.debian.org/debian-lts-announce/2024/01/msg00013.html

https://lists.debian.org/debian-lts-announce/2024/01/msg00014.html

https://lists.debian.org/debian-lts-announce/2024/04/msg00016.html

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/33XHJUB6ROFUOH2OQNENFROTVH6MHSHA/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3CAYYW35MUTNO65RVAELICTNZZFMT2XS/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3JIMLVBDWOP4FUPXPTB4PGHHIOMGFLQE/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3YQLUQWLIHDB5QCXQEX7HXHAWMOKPP5O/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6Y74KVCPEPT4MVU3LHDWCNNOXOE5ZLUR/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/APYIXIQOVDCRWLHTGB4VYMAUIAQLKYJ3/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BL5KTLOSLH2KHRN4HCXJPK3JUVLDGEL6/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/C3AFMZ6MH2UHHOPIWT5YLSFV3D2VB3AC/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CHHITS4PUOZAKFIUBQAQZC7JWXMOYE4B/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F7EYCFQCTSGJXWO3ZZ44MGKFC5HA7G3Y/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HYEDEXIKFKTUJIN43RG4B7T5ZS6MHUSP/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I724O3LSRCPO4WNVIXTZCT4VVRMXMMSG/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KEOTKBUPZXHE3F352JBYNTSNRXYLWD6P/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KMZCVGUGJZZVDPCVDA7TEB22VUCNEXDD/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L5Y6MNNVAPIJSXJERQ6PKZVCIUXSNJK7/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LZQVUHWVWRH73YBXUQJOD6CKHDQBU3DM/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MKQRBF3DWMWPH36LBCOBUTSIZRTPEZXB/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QI3EHAHABFQK7OABNCSF5GMYP6TONTI7/

https://matt.ucc.asn.au/dropbear/CHANGES

https://nest.pijul.com/pijul/thrussh/changes/D6H7OWTTMHHX6BTB3B6MNBOBX2L66CBL4LGSEUSAI2MCRCJDQFRQC

https://news.ycombinator.com/item?id=38684904

https://news.ycombinator.com/item?id=38685286

https://news.ycombinator.com/item?id=38732005

https://nova.app/releases/#v11.8

https://oryx-embedded.com/download/#changelog

https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0002

https://roumenpetrov.info/secsh/#news20231220

https://security-tracker.debian.org/tracker/CVE-2023-48795

https://security-tracker.debian.org/tracker/source-package/libssh2

https://security-tracker.debian.org/tracker/source-package/proftpd-dfsg

https://security-tracker.debian.org/tracker/source-package/trilead-ssh2

https://security.gentoo.org/glsa/202312-16

https://security.gentoo.org/glsa/202312-17

https://security.netapp.com/advisory/ntap-20240105-0004/

https://support.apple.com/kb/HT214084

https://thorntech.com/cve-2023-48795-and-sftp-gateway/

https://twitter.com/TrueSkrillor/status/1736774389725565005

https://ubuntu.com/security/CVE-2023-48795

https://winscp.net/eng/docs/history#6.2.2

https://www.bitvise.com/ssh-client-version-history#933

https://www.bitvise.com/ssh-server-version-history

https://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html

https://www.crushftp.com/crush10wiki/Wiki.jsp?page=Update

https://www.debian.org/security/2023/dsa-5586

https://www.debian.org/security/2023/dsa-5588

https://www.freebsd.org/security/advisories/FreeBSD-SA-23:19.openssh.asc

https://www.lancom-systems.de/service-support/allgemeine-sicherheitshinweise#c243508

https://www.netsarang.com/en/xshell-update-history/

https://www.openssh.com/openbsd.html

https://www.openssh.com/txt/release-9.6

https://www.openwall.com/lists/oss-security/2023/12/18/2

https://www.openwall.com/lists/oss-security/2023/12/20/3

https://www.paramiko.org/changelog.html

https://www.reddit.com/r/sysadmin/comments/18idv52/cve202348795_why_is_this_cve_still_undisclosed/

https://www.suse.com/c/suse-addresses-the-ssh-v2-protocol-terrapin-attack-aka-cve-2023-48795/

https://www.terrapin-attack.com

https://www.theregister.com/2023/12/20/terrapin_attack_ssh

https://www.vandyke.com/products/securecrt/history.txt

MITRE http://www.openwall.com/lists/oss-security/2024/03/06/3 [No types assigned]

MITRE http://www.openwall.com/lists/oss-security/2024/04/17/8 [No types assigned]

OR
 *cpe:2.3:a:kitty_project:kitty:*:*:*:*:*:*:*:* versions up to (including) 0.76.1.13

OR
 *cpe:2.3:a:9bis:kitty:*:*:*:*:*:*:*:* versions up to (including) 0.76.1.13

OR
 *cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:* versions from (including) 14.0 up to (excluding) 14.4

OR
 *cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

OR
 *cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*
 *cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*

http://seclists.org/fulldisclosure/2024/Mar/21 No Types Assigned

http://seclists.org/fulldisclosure/2024/Mar/21 Mailing List, Third Party Advisory

https://lists.debian.org/debian-lts-announce/2024/01/msg00013.html No Types Assigned

https://lists.debian.org/debian-lts-announce/2024/01/msg00013.html Mailing List, Third Party Advisory

https://lists.debian.org/debian-lts-announce/2024/01/msg00014.html No Types Assigned

https://lists.debian.org/debian-lts-announce/2024/01/msg00014.html Mailing List, Third Party Advisory

https://lists.debian.org/debian-lts-announce/2024/04/msg00016.html No Types Assigned

https://lists.debian.org/debian-lts-announce/2024/04/msg00016.html Mailing List, Third Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/33XHJUB6ROFUOH2OQNENFROTVH6MHSHA/ No Types Assigned

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/33XHJUB6ROFUOH2OQNENFROTVH6MHSHA/ Mailing List, Third Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3CAYYW35MUTNO65RVAELICTNZZFMT2XS/ No Types Assigned

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3CAYYW35MUTNO65RVAELICTNZZFMT2XS/ Mailing List, Third Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3JIMLVBDWOP4FUPXPTB4PGHHIOMGFLQE/ No Types Assigned

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3JIMLVBDWOP4FUPXPTB4PGHHIOMGFLQE/ Mailing List, Third Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3YQLUQWLIHDB5QCXQEX7HXHAWMOKPP5O/ No Types Assigned

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3YQLUQWLIHDB5QCXQEX7HXHAWMOKPP5O/ Mailing List, Third Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6Y74KVCPEPT4MVU3LHDWCNNOXOE5ZLUR/ No Types Assigned

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6Y74KVCPEPT4MVU3LHDWCNNOXOE5ZLUR/ Mailing List, Third Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/APYIXIQOVDCRWLHTGB4VYMAUIAQLKYJ3/ No Types Assigned

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/APYIXIQOVDCRWLHTGB4VYMAUIAQLKYJ3/ Mailing List, Third Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BL5KTLOSLH2KHRN4HCXJPK3JUVLDGEL6/ No Types Assigned

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BL5KTLOSLH2KHRN4HCXJPK3JUVLDGEL6/ Mailing List, Third Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/C3AFMZ6MH2UHHOPIWT5YLSFV3D2VB3AC/ No Types Assigned

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/C3AFMZ6MH2UHHOPIWT5YLSFV3D2VB3AC/ Mailing List, Third Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CHHITS4PUOZAKFIUBQAQZC7JWXMOYE4B/ No Types Assigned

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CHHITS4PUOZAKFIUBQAQZC7JWXMOYE4B/ Mailing List, Third Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F7EYCFQCTSGJXWO3ZZ44MGKFC5HA7G3Y/ No Types Assigned

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F7EYCFQCTSGJXWO3ZZ44MGKFC5HA7G3Y/ Mailing List, Third Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HYEDEXIKFKTUJIN43RG4B7T5ZS6MHUSP/ No Types Assigned

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HYEDEXIKFKTUJIN43RG4B7T5ZS6MHUSP/ Mailing List, Third Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I724O3LSRCPO4WNVIXTZCT4VVRMXMMSG/ No Types Assigned

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I724O3LSRCPO4WNVIXTZCT4VVRMXMMSG/ Mailing List, Third Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KEOTKBUPZXHE3F352JBYNTSNRXYLWD6P/ No Types Assigned

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KEOTKBUPZXHE3F352JBYNTSNRXYLWD6P/ Mailing List, Third Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KMZCVGUGJZZVDPCVDA7TEB22VUCNEXDD/ No Types Assigned

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KMZCVGUGJZZVDPCVDA7TEB22VUCNEXDD/ Mailing List, Third Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L5Y6MNNVAPIJSXJERQ6PKZVCIUXSNJK7/ No Types Assigned

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L5Y6MNNVAPIJSXJERQ6PKZVCIUXSNJK7/ Mailing List, Third Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LZQVUHWVWRH73YBXUQJOD6CKHDQBU3DM/ No Types Assigned

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LZQVUHWVWRH73YBXUQJOD6CKHDQBU3DM/ Mailing List, Third Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QI3EHAHABFQK7OABNCSF5GMYP6TONTI7/ No Types Assigned

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QI3EHAHABFQK7OABNCSF5GMYP6TONTI7/ Mailing List, Third Party Advisory

https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0002 No Types Assigned

https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0002 Third Party Advisory

https://security.netapp.com/advisory/ntap-20240105-0004/ No Types Assigned

https://security.netapp.com/advisory/ntap-20240105-0004/ Third Party Advisory

https://support.apple.com/kb/HT214084 No Types Assigned

https://support.apple.com/kb/HT214084 Third Party Advisory

MITRE https://lists.debian.org/debian-lts-announce/2024/04/msg00016.html [No types assigned]

MITRE http://seclists.org/fulldisclosure/2024/Mar/21 [No types assigned]

MITRE https://support.apple.com/kb/HT214084 [No types assigned]

MITRE https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3JIMLVBDWOP4FUPXPTB4PGHHIOMGFLQE/ [No types assigned]

MITRE https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L5Y6MNNVAPIJSXJERQ6PKZVCIUXSNJK7/ [No types assigned]

MITRE https://lists.debian.org/debian-lts-announce/2024/01/msg00013.html [No types assigned]

MITRE https://lists.debian.org/debian-lts-announce/2024/01/msg00014.html [No types assigned]

MITRE https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6Y74KVCPEPT4MVU3LHDWCNNOXOE5ZLUR/ [No types assigned]

MITRE https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CHHITS4PUOZAKFIUBQAQZC7JWXMOYE4B/ [No types assigned]

MITRE https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HYEDEXIKFKTUJIN43RG4B7T5ZS6MHUSP/ [No types assigned]

MITRE https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I724O3LSRCPO4WNVIXTZCT4VVRMXMMSG/ [No types assigned]

MITRE https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KEOTKBUPZXHE3F352JBYNTSNRXYLWD6P/ [No types assigned]

MITRE https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0002 [No types assigned]

MITRE https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/33XHJUB6ROFUOH2OQNENFROTVH6MHSHA/ [No types assigned]

MITRE https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BL5KTLOSLH2KHRN4HCXJPK3JUVLDGEL6/ [No types assigned]

MITRE https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/C3AFMZ6MH2UHHOPIWT5YLSFV3D2VB3AC/ [No types assigned]

MITRE https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LZQVUHWVWRH73YBXUQJOD6CKHDQBU3DM/ [No types assigned]

MITRE https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3CAYYW35MUTNO65RVAELICTNZZFMT2XS/ [No types assigned]

MITRE https://security.netapp.com/advisory/ntap-20240105-0004/ [No types assigned]

MITRE https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/APYIXIQOVDCRWLHTGB4VYMAUIAQLKYJ3/ [No types assigned]

MITRE https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KMZCVGUGJZZVDPCVDA7TEB22VUCNEXDD/ [No types assigned]

MITRE https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QI3EHAHABFQK7OABNCSF5GMYP6TONTI7/ [No types assigned]

MITRE https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3YQLUQWLIHDB5QCXQEX7HXHAWMOKPP5O/ [No types assigned]

MITRE https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F7EYCFQCTSGJXWO3ZZ44MGKFC5HA7G3Y/ [No types assigned]

NIST AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

NIST CWE-354

AND
 OR
 *cpe:2.3:a:gentoo:security:-:*:*:*:*:*:*:*
 OR
 cpe:2.3:o:debian:debian_linux:-:*:*:*:*:*:*:*

AND
 OR
 *cpe:2.3:a:panic:nova:*:*:*:*:*:*:*:* versions up to (excluding) 11.8
 OR
 cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*

AND
 OR
 *cpe:2.3:a:panic:transmit_5:*:*:*:*:*:*:*:* versions up to (excluding) 5.10.4
 OR
 cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*

OR
 *cpe:2.3:a:apache:sshd:*:*:*:*:*:*:*:* versions up to (including) 2.11.0

OR
 *cpe:2.3:a:apache:sshj:*:*:*:*:*:*:*:* versions up to (including) 0.37.0

OR
 *cpe:2.3:a:asyncssh_project:asyncssh:*:*:*:*:*:*:*:* versions up to (excluding) 2.14.2

OR
 *cpe:2.3:a:bitvise:ssh_client:*:*:*:*:*:*:*:* versions up to (excluding) 9.33

OR
 *cpe:2.3:a:bitvise:ssh_server:*:*:*:*:*:*:*:* versions up to (excluding) 9.32

OR
 *cpe:2.3:a:connectbot:sshlib:*:*:*:*:*:*:*:* versions up to (excluding) 2.2.22

OR
 *cpe:2.3:a:crates:thrussh:*:*:*:*:*:*:*:* versions up to (excluding) 0.35.1

OR
 *cpe:2.3:a:crushftp:crushftp:*:*:*:*:*:*:*:* versions up to (excluding) 10.6.0

OR
 *cpe:2.3:a:crushftp:crushftp:*:*:*:*:*:*:*:* versions up to (including) 10.6.0

OR
 *cpe:2.3:a:dropbear_ssh_project:dropbear_ssh:*:*:*:*:*:*:*:* versions up to (excluding) 2022.83

OR
 *cpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:* versions up to (excluding) 26.2.1

OR
 *cpe:2.3:a:filezilla-project:filezilla_client:*:*:*:*:*:*:*:* versions up to (excluding) 3.66.4

OR
 *cpe:2.3:a:golang:crypto:*:*:*:*:*:*:*:* versions up to (excluding) 0.17.0

OR
 *cpe:2.3:a:jadaptive:maverick_synergy_java_ssh_api:*:*:*:*:*:*:*:* versions up to (excluding) 3.1.0-snapshot

OR
 *cpe:2.3:a:kitty_project:kitty:*:*:*:*:*:*:*:* versions up to (including) 0.76.1.13

OR
 *cpe:2.3:a:libssh2:libssh2:*:*:*:*:*:*:*:* versions up to (excluding) 1.11.10

OR
 *cpe:2.3:a:libssh:libssh:*:*:*:*:*:*:*:* versions up to (excluding) 0.10.6

OR
 *cpe:2.3:a:matez:jsch:*:*:*:*:*:*:*:* versions up to (excluding) 0.2.15

OR
 *cpe:2.3:a:microsoft:powershell:*:*:*:*:*:*:*:* versions up to (including) 11.1.0

OR
 *cpe:2.3:a:net-ssh:net-ssh:7.2.0:*:*:*:*:ruby:*:*

OR
 *cpe:2.3:a:netgate:pfsense_ce:*:*:*:*:*:*:*:* versions up to (including) 2.7.2

OR
 *cpe:2.3:a:netgate:pfsense_plus:*:*:*:*:*:*:*:* versions up to (including) 23.09.1

OR
 *cpe:2.3:a:netsarang:xshell_7:*:*:*:*:*:*:*:* versions up to (excluding) build__0144

OR
 *cpe:2.3:a:openbsd:openssh:*:*:*:*:*:*:*:* versions up to (excluding) 9.6

OR
 *cpe:2.3:a:oryx-embedded:cyclone_ssh:*:*:*:*:*:*:*:* versions up to (excluding) 2.3.4

OR
 *cpe:2.3:a:paramiko:paramiko:*:*:*:*:*:*:*:* versions up to (excluding) 3.4.0

OR
 *cpe:2.3:a:proftpd:proftpd:*:*:*:*:*:*:*:* versions up to (including) 1.3.8b

OR
 *cpe:2.3:a:putty:putty:*:*:*:*:*:*:*:* versions up to (excluding) 0.80

OR
 *cpe:2.3:a:redhat:advanced_cluster_security:3.0:*:*:*:*:*:*:*
 *cpe:2.3:a:redhat:advanced_cluster_security:4.0:*:*:*:*:*:*:*

OR
 *cpe:2.3:a:redhat:ceph_storage:6.0:*:*:*:*:*:*:*

OR
 *cpe:2.3:a:redhat:cert-manager_operator_for_red_hat_openshift:-:*:*:*:*:*:*:*

OR
 *cpe:2.3:a:redhat:discovery:-:*:*:*:*:*:*:*

OR
 *cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.0:*:*:*:*:*:*:*

OR
 *cpe:2.3:a:redhat:keycloak:-:*:*:*:*:*:*:*

OR
 *cpe:2.3:a:redhat:openshift_api_for_data_protection:-:*:*:*:*:*:*:*

OR
 *cpe:2.3:a:redhat:openshift_container_platform:4.0:*:*:*:*:*:*:*

OR
 *cpe:2.3:a:redhat:openshift_data_foundation:4.0:*:*:*:*:*:*:*

OR
 *cpe:2.3:a:redhat:openshift_dev_spaces:-:*:*:*:*:*:*:*

OR
 *cpe:2.3:a:redhat:openshift_developer_tools_and_services:-:*:*:*:*:*:*:*

OR
 *cpe:2.3:a:redhat:openshift_gitops:-:*:*:*:*:*:*:*

OR
 *cpe:2.3:a:redhat:openshift_pipelines:-:*:*:*:*:*:*:*

OR
 *cpe:2.3:a:redhat:openshift_serverless:-:*:*:*:*:*:*:*

OR
 *cpe:2.3:a:redhat:openshift_virtualization:4:*:*:*:*:*:*:*

OR
 *cpe:2.3:a:redhat:openstack_platform:16.1:*:*:*:*:*:*:*
 *cpe:2.3:a:redhat:openstack_platform:16.2:*:*:*:*:*:*:*
 *cpe:2.3:a:redhat:openstack_platform:17.1:*:*:*:*:*:*:*

OR
 *cpe:2.3:a:redhat:single_sign-on:7.0:*:*:*:*:*:*:*

OR
 *cpe:2.3:a:redhat:storage:3.0:*:*:*:*:*:*:*

OR
 *cpe:2.3:a:roumenpetrov:pkixssh:*:*:*:*:*:*:*:* versions up to (excluding) 14.4

OR
 *cpe:2.3:a:russh_project:russh:*:*:*:*:*:rust:*:* versions up to (excluding) 0.40.2

OR
 *cpe:2.3:a:sftpgo_project:sftpgo:*:*:*:*:*:*:*:* versions up to (excluding) 2.5.6

OR
 *cpe:2.3:a:ssh2_project:ssh2:*:*:*:*:*:node.js:*:* versions up to (including) 1.11.0

OR
 *cpe:2.3:a:ssh:ssh:*:*:*:*:*:*:*:* versions up to (excluding) 5.11

OR
 *cpe:2.3:a:tera_term_project:tera_term:*:*:*:*:*:*:*:* versions up to (including) 5.1

OR
 *cpe:2.3:a:tinyssh:tinyssh:*:*:*:*:*:*:*:* versions up to (including) 20230101

OR
 *cpe:2.3:a:trilead:ssh2:6401:*:*:*:*:*:*:*

OR
 *cpe:2.3:a:vandyke:securecrt:*:*:*:*:*:*:*:* versions up to (excluding) 9.4.3

OR
 *cpe:2.3:a:winscp:winscp:*:*:*:*:*:*:*:* versions up to (excluding) 6.2.2

OR
 *cpe:2.3:o:freebsd:freebsd:*:*:*:*:*:*:*:* versions up to (including) 12.4

OR
 *cpe:2.3:o:lancom-systems:lanconfig:-:*:*:*:*:*:*:*

OR
 *cpe:2.3:o:lancom-systems:lcos:*:*:*:*:*:*:*:* versions up to (including) 3.66.4

OR
 *cpe:2.3:o:lancom-systems:lcos_fx:-:*:*:*:*:*:*:*

OR
 *cpe:2.3:o:lancom-systems:lcos_lx:-:*:*:*:*:*:*:*

OR
 *cpe:2.3:o:lancom-systems:lcos_sx:4.20:*:*:*:*:*:*:*
 *cpe:2.3:o:lancom-systems:lcos_sx:5.20:*:*:*:*:*:*:*

OR
 *cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
 *cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*

OR
 *cpe:2.3:o:thorntech:sftp_gateway_firmware:*:*:*:*:*:*:*:* versions up to (excluding) 3.4.6

http://packetstormsecurity.com/files/176280/Terrapin-SSH-Connection-Weakening.html No Types Assigned

http://packetstormsecurity.com/files/176280/Terrapin-SSH-Connection-Weakening.html Third Party Advisory, VDB Entry

http://www.openwall.com/lists/oss-security/2023/12/18/3 No Types Assigned

http://www.openwall.com/lists/oss-security/2023/12/18/3 Mailing List

http://www.openwall.com/lists/oss-security/2023/12/19/5 No Types Assigned

http://www.openwall.com/lists/oss-security/2023/12/19/5 Mailing List

http://www.openwall.com/lists/oss-security/2023/12/20/3 No Types Assigned

http://www.openwall.com/lists/oss-security/2023/12/20/3 Mailing List, Mitigation

https://access.redhat.com/security/cve/cve-2023-48795 No Types Assigned

https://access.redhat.com/security/cve/cve-2023-48795 Third Party Advisory

https://arstechnica.com/security/2023/12/hackers-can-break-ssh-channel-integrity-using-novel-data-corruption-attack/ No Types Assigned

https://arstechnica.com/security/2023/12/hackers-can-break-ssh-channel-integrity-using-novel-data-corruption-attack/ Press/Media Coverage

https://bugs.gentoo.org/920280 No Types Assigned

https://bugs.gentoo.org/920280 Issue Tracking

https://bugzilla.redhat.com/show_bug.cgi?id=2254210 No Types Assigned

https://bugzilla.redhat.com/show_bug.cgi?id=2254210 Issue Tracking

https://bugzilla.suse.com/show_bug.cgi?id=1217950 No Types Assigned

https://bugzilla.suse.com/show_bug.cgi?id=1217950 Issue Tracking

https://crates.io/crates/thrussh/versions No Types Assigned

https://crates.io/crates/thrussh/versions Release Notes

https://filezilla-project.org/versions.php No Types Assigned

https://filezilla-project.org/versions.php Release Notes

https://forum.netgate.com/topic/184941/terrapin-ssh-attack No Types Assigned

https://forum.netgate.com/topic/184941/terrapin-ssh-attack Issue Tracking

https://git.libssh.org/projects/libssh.git/commit/?h=stable-0.10&id=10e09e273f69e149389b3e0e5d44b8c221c2e7f6 No Types Assigned

https://git.libssh.org/projects/libssh.git/commit/?h=stable-0.10&id=10e09e273f69e149389b3e0e5d44b8c221c2e7f6 Patch

https://github.com/NixOS/nixpkgs/pull/275249 No Types Assigned

https://github.com/NixOS/nixpkgs/pull/275249 Release Notes

https://github.com/PowerShell/Win32-OpenSSH/issues/2189 No Types Assigned

https://github.com/PowerShell/Win32-OpenSSH/issues/2189 Issue Tracking

https://github.com/PowerShell/Win32-OpenSSH/releases/tag/v9.5.0.0p1-Beta No Types Assigned

https://github.com/PowerShell/Win32-OpenSSH/releases/tag/v9.5.0.0p1-Beta Release Notes

https://github.com/TeraTermProject/teraterm/commit/7279fbd6ef4d0c8bdd6a90af4ada2899d786eec0 No Types Assigned

https://github.com/TeraTermProject/teraterm/commit/7279fbd6ef4d0c8bdd6a90af4ada2899d786eec0 Patch

https://github.com/TeraTermProject/teraterm/releases/tag/v5.1 No Types Assigned

https://github.com/TeraTermProject/teraterm/releases/tag/v5.1 Release Notes

https://github.com/advisories/GHSA-45x7-px36-x8w8 No Types Assigned

https://github.com/advisories/GHSA-45x7-px36-x8w8 Third Party Advisory

https://github.com/apache/mina-sshd/issues/445 No Types Assigned

https://github.com/apache/mina-sshd/issues/445 Issue Tracking

https://github.com/connectbot/sshlib/commit/5c8b534f6e97db7ac0e0e579331213aa25c173ab No Types Assigned

https://github.com/connectbot/sshlib/commit/5c8b534f6e97db7ac0e0e579331213aa25c173ab Patch

https://github.com/connectbot/sshlib/compare/2.2.21...2.2.22 No Types Assigned

https://github.com/connectbot/sshlib/compare/2.2.21...2.2.22 Third Party Advisory

https://github.com/cyd01/KiTTY/issues/520 No Types Assigned

https://github.com/cyd01/KiTTY/issues/520 Issue Tracking

https://github.com/drakkan/sftpgo/releases/tag/v2.5.6 No Types Assigned

https://github.com/drakkan/sftpgo/releases/tag/v2.5.6 Release Notes

https://github.com/erlang/otp/blob/d1b43dc0f1361d2ad67601169e90a7fc50bb0369/lib/ssh/doc/src/notes.xml#L39-L42 No Types Assigned

https://github.com/erlang/otp/blob/d1b43dc0f1361d2ad67601169e90a7fc50bb0369/lib/ssh/doc/src/notes.xml#L39-L42 Patch

https://github.com/erlang/otp/releases/tag/OTP-26.2.1 No Types Assigned

https://github.com/erlang/otp/releases/tag/OTP-26.2.1 Release Notes

https://github.com/golang/crypto/commit/9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d No Types Assigned

https://github.com/golang/crypto/commit/9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d Patch

https://github.com/hierynomus/sshj/issues/916 No Types Assigned

https://github.com/hierynomus/sshj/issues/916 Issue Tracking

https://github.com/janmojzis/tinyssh/issues/81 No Types Assigned

https://github.com/janmojzis/tinyssh/issues/81 Issue Tracking

https://github.com/jtesta/ssh-audit/commit/8e972c5e94b460379fe0c7d20209c16df81538a5 No Types Assigned

https://github.com/jtesta/ssh-audit/commit/8e972c5e94b460379fe0c7d20209c16df81538a5 Patch

https://github.com/libssh2/libssh2/pull/1291 No Types Assigned

https://github.com/libssh2/libssh2/pull/1291 Mitigation

https://github.com/mkj/dropbear/blob/17657c36cce6df7716d5ff151ec09a665382d5dd/CHANGES#L25 No Types Assigned

https://github.com/mkj/dropbear/blob/17657c36cce6df7716d5ff151ec09a665382d5dd/CHANGES#L25 Patch

https://github.com/mscdex/ssh2/commit/97b223f8891b96d6fc054df5ab1d5a1a545da2a3 No Types Assigned

https://github.com/mscdex/ssh2/commit/97b223f8891b96d6fc054df5ab1d5a1a545da2a3 Patch

https://github.com/mwiede/jsch/compare/jsch-0.2.14...jsch-0.2.15 No Types Assigned

https://github.com/mwiede/jsch/compare/jsch-0.2.14...jsch-0.2.15 Product

https://github.com/mwiede/jsch/issues/457 No Types Assigned

https://github.com/mwiede/jsch/issues/457 Issue Tracking

https://github.com/mwiede/jsch/pull/461 No Types Assigned

https://github.com/mwiede/jsch/pull/461 Release Notes

https://github.com/net-ssh/net-ssh/blob/2e65064a52d73396bfc3806c9196fc8108f33cd8/CHANGES.txt#L14-L16 No Types Assigned

https://github.com/net-ssh/net-ssh/blob/2e65064a52d73396bfc3806c9196fc8108f33cd8/CHANGES.txt#L14-L16 Patch

https://github.com/openssh/openssh-portable/commits/master No Types Assigned

https://github.com/openssh/openssh-portable/commits/master Patch

https://github.com/paramiko/paramiko/issues/2337 No Types Assigned

https://github.com/paramiko/paramiko/issues/2337 Issue Tracking

https://github.com/proftpd/proftpd/blob/0a7ea9b0ba9fcdf368374a226370d08f10397d99/RELEASE_NOTES No Types Assigned

https://github.com/proftpd/proftpd/blob/0a7ea9b0ba9fcdf368374a226370d08f10397d99/RELEASE_NOTES Release Notes

https://github.com/proftpd/proftpd/blob/d21e7a2e47e9b38f709bec58e3fa711f759ad0e1/RELEASE_NOTES No Types Assigned

https://github.com/proftpd/proftpd/blob/d21e7a2e47e9b38f709bec58e3fa711f759ad0e1/RELEASE_NOTES Release Notes

https://github.com/proftpd/proftpd/blob/master/RELEASE_NOTES No Types Assigned

https://github.com/proftpd/proftpd/blob/master/RELEASE_NOTES Release Notes

https://github.com/proftpd/proftpd/issues/456 No Types Assigned

https://github.com/proftpd/proftpd/issues/456 Issue Tracking

https://github.com/rapier1/hpn-ssh/releases No Types Assigned

https://github.com/rapier1/hpn-ssh/releases Release Notes

https://github.com/ronf/asyncssh/blob/develop/docs/changes.rst No Types Assigned

https://github.com/ronf/asyncssh/blob/develop/docs/changes.rst Release Notes

https://github.com/ronf/asyncssh/tags No Types Assigned

https://github.com/ronf/asyncssh/tags Release Notes

https://github.com/ssh-mitm/ssh-mitm/issues/165 No Types Assigned

https://github.com/ssh-mitm/ssh-mitm/issues/165 Issue Tracking

https://github.com/warp-tech/russh/releases/tag/v0.40.2 No Types Assigned

https://github.com/warp-tech/russh/releases/tag/v0.40.2 Release Notes

https://gitlab.com/libssh/libssh-mirror/-/tags No Types Assigned

https://gitlab.com/libssh/libssh-mirror/-/tags Release Notes

https://groups.google.com/g/golang-announce/c/-n5WqVC18LQ No Types Assigned

https://groups.google.com/g/golang-announce/c/-n5WqVC18LQ Mailing List

https://groups.google.com/g/golang-announce/c/qA3XtxvMUyg No Types Assigned

https://groups.google.com/g/golang-announce/c/qA3XtxvMUyg Mailing List

https://help.panic.com/releasenotes/transmit5/ No Types Assigned

https://help.panic.com/releasenotes/transmit5/ Release Notes

https://jadaptive.com/important-java-ssh-security-update-new-ssh-vulnerability-discovered-cve-2023-48795/ No Types Assigned

https://jadaptive.com/important-java-ssh-security-update-new-ssh-vulnerability-discovered-cve-2023-48795/ Press/Media Coverage

https://lists.debian.org/debian-lts-announce/2023/12/msg00017.html No Types Assigned

https://lists.debian.org/debian-lts-announce/2023/12/msg00017.html Mailing List

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MKQRBF3DWMWPH36LBCOBUTSIZRTPEZXB/ No Types Assigned

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MKQRBF3DWMWPH36LBCOBUTSIZRTPEZXB/ Vendor Advisory

https://matt.ucc.asn.au/dropbear/CHANGES No Types Assigned

https://matt.ucc.asn.au/dropbear/CHANGES Release Notes

https://nest.pijul.com/pijul/thrussh/changes/D6H7OWTTMHHX6BTB3B6MNBOBX2L66CBL4LGSEUSAI2MCRCJDQFRQC No Types Assigned

https://nest.pijul.com/pijul/thrussh/changes/D6H7OWTTMHHX6BTB3B6MNBOBX2L66CBL4LGSEUSAI2MCRCJDQFRQC Patch

https://news.ycombinator.com/item?id=38684904 No Types Assigned

https://news.ycombinator.com/item?id=38684904 Issue Tracking

https://news.ycombinator.com/item?id=38685286 No Types Assigned

https://news.ycombinator.com/item?id=38685286 Issue Tracking

https://news.ycombinator.com/item?id=38732005 No Types Assigned

https://news.ycombinator.com/item?id=38732005 Issue Tracking

https://nova.app/releases/#v11.8 No Types Assigned

https://nova.app/releases/#v11.8 Release Notes

https://oryx-embedded.com/download/#changelog No Types Assigned

https://oryx-embedded.com/download/#changelog Release Notes

https://roumenpetrov.info/secsh/#news20231220 No Types Assigned

https://roumenpetrov.info/secsh/#news20231220 Release Notes

https://security-tracker.debian.org/tracker/CVE-2023-48795 No Types Assigned

https://security-tracker.debian.org/tracker/CVE-2023-48795 Vendor Advisory

https://security-tracker.debian.org/tracker/source-package/libssh2 No Types Assigned

https://security-tracker.debian.org/tracker/source-package/libssh2 Vendor Advisory

https://security-tracker.debian.org/tracker/source-package/proftpd-dfsg No Types Assigned

https://security-tracker.debian.org/tracker/source-package/proftpd-dfsg Vendor Advisory

https://security-tracker.debian.org/tracker/source-package/trilead-ssh2 No Types Assigned

https://security-tracker.debian.org/tracker/source-package/trilead-ssh2 Issue Tracking

https://security.gentoo.org/glsa/202312-16 No Types Assigned

https://security.gentoo.org/glsa/202312-16 Third Party Advisory

https://security.gentoo.org/glsa/202312-17 No Types Assigned

https://security.gentoo.org/glsa/202312-17 Third Party Advisory

https://thorntech.com/cve-2023-48795-and-sftp-gateway/ No Types Assigned

https://thorntech.com/cve-2023-48795-and-sftp-gateway/ Third Party Advisory

https://twitter.com/TrueSkrillor/status/1736774389725565005 No Types Assigned

https://twitter.com/TrueSkrillor/status/1736774389725565005 Press/Media Coverage

https://ubuntu.com/security/CVE-2023-48795 No Types Assigned

https://ubuntu.com/security/CVE-2023-48795 Vendor Advisory

https://winscp.net/eng/docs/history#6.2.2 No Types Assigned

https://winscp.net/eng/docs/history#6.2.2 Release Notes

https://www.bitvise.com/ssh-client-version-history#933 No Types Assigned

https://www.bitvise.com/ssh-client-version-history#933 Release Notes

https://www.bitvise.com/ssh-server-version-history No Types Assigned

https://www.bitvise.com/ssh-server-version-history Release Notes

https://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html No Types Assigned

https://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html Release Notes

https://www.crushftp.com/crush10wiki/Wiki.jsp?page=Update No Types Assigned

https://www.crushftp.com/crush10wiki/Wiki.jsp?page=Update Release Notes

https://www.debian.org/security/2023/dsa-5586 No Types Assigned

https://www.debian.org/security/2023/dsa-5586 Issue Tracking

https://www.debian.org/security/2023/dsa-5588 No Types Assigned

https://www.debian.org/security/2023/dsa-5588 Issue Tracking

https://www.freebsd.org/security/advisories/FreeBSD-SA-23:19.openssh.asc No Types Assigned

https://www.freebsd.org/security/advisories/FreeBSD-SA-23:19.openssh.asc Release Notes

https://www.lancom-systems.de/service-support/allgemeine-sicherheitshinweise#c243508 No Types Assigned

https://www.lancom-systems.de/service-support/allgemeine-sicherheitshinweise#c243508 Vendor Advisory

https://www.netsarang.com/en/xshell-update-history/ No Types Assigned

https://www.netsarang.com/en/xshell-update-history/ Release Notes

https://www.openssh.com/openbsd.html No Types Assigned

https://www.openssh.com/openbsd.html Release Notes

https://www.openssh.com/txt/release-9.6 No Types Assigned

https://www.openssh.com/txt/release-9.6 Release Notes

https://www.openwall.com/lists/oss-security/2023/12/18/2 No Types Assigned

https://www.openwall.com/lists/oss-security/2023/12/18/2 Mailing List

https://www.openwall.com/lists/oss-security/2023/12/20/3 No Types Assigned

https://www.openwall.com/lists/oss-security/2023/12/20/3 Mailing List, Mitigation

https://www.paramiko.org/changelog.html No Types Assigned

https://www.paramiko.org/changelog.html Release Notes

https://www.reddit.com/r/sysadmin/comments/18idv52/cve202348795_why_is_this_cve_still_undisclosed/ No Types Assigned

https://www.reddit.com/r/sysadmin/comments/18idv52/cve202348795_why_is_this_cve_still_undisclosed/ Issue Tracking

https://www.suse.com/c/suse-addresses-the-ssh-v2-protocol-terrapin-attack-aka-cve-2023-48795/ No Types Assigned

https://www.suse.com/c/suse-addresses-the-ssh-v2-protocol-terrapin-attack-aka-cve-2023-48795/ Press/Media Coverage

https://www.terrapin-attack.com No Types Assigned

https://www.terrapin-attack.com Exploit

https://www.theregister.com/2023/12/20/terrapin_attack_ssh No Types Assigned

https://www.theregister.com/2023/12/20/terrapin_attack_ssh Press/Media Coverage

https://www.vandyke.com/products/securecrt/history.txt No Types Assigned

https://www.vandyke.com/products/securecrt/history.txt Release Notes

MITRE https://security.gentoo.org/glsa/202312-16 [No types assigned]

MITRE https://security.gentoo.org/glsa/202312-17 [No types assigned]

MITRE https://lists.debian.org/debian-lts-announce/2023/12/msg00017.html [No types assigned]

MITRE https://github.com/ssh-mitm/ssh-mitm/issues/165 [No types assigned]

MITRE https://news.ycombinator.com/item?id=38732005 [No types assigned]

MITRE https://www.debian.org/security/2023/dsa-5588 [No types assigned]

The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in [email protected] and (if CBC is used) the [email protected] MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust.

The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in [email protected] and (if CBC is used) the [email protected] MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust.

The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in [email protected] and (if CBC is used) the [email protected] MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust; and there could be effects on Bitvise SSH through 9.31.

The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in [email protected] and (if CBC is used) the [email protected] MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust.

MITRE https://filezilla-project.org/versions.php [No types assigned]

MITRE https://github.com/PowerShell/Win32-OpenSSH/issues/2189 [No types assigned]

MITRE https://github.com/PowerShell/Win32-OpenSSH/releases/tag/v9.5.0.0p1-Beta [No types assigned]

MITRE https://github.com/cyd01/KiTTY/issues/520 [No types assigned]

MITRE https://help.panic.com/releasenotes/transmit5/ [No types assigned]

MITRE https://nova.app/releases/#v11.8 [No types assigned]

MITRE https://roumenpetrov.info/secsh/#news20231220 [No types assigned]

MITRE https://winscp.net/eng/docs/history#6.2.2 [No types assigned]

MITRE https://www.bitvise.com/ssh-client-version-history#933 [No types assigned]

MITRE https://www.lancom-systems.de/service-support/allgemeine-sicherheitshinweise#c243508 [No types assigned]

MITRE https://www.theregister.com/2023/12/20/terrapin_attack_ssh [No types assigned]

MITRE https://www.vandyke.com/products/securecrt/history.txt [No types assigned]

MITRE https://www.debian.org/security/2023/dsa-5586 [No types assigned]

MITRE https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MKQRBF3DWMWPH36LBCOBUTSIZRTPEZXB/ [No types assigned]

MITRE http://packetstormsecurity.com/files/176280/Terrapin-SSH-Connection-Weakening.html [No types assigned]

The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in [email protected] and (if CBC is used) the [email protected] MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust; and there could be effects on Bitvise SSH through 9.31.

The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in [email protected] and (if CBC is used) the [email protected] MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust; and there could be effects on Bitvise SSH through 9.31.

MITRE https://github.com/net-ssh/net-ssh/blob/2e65064a52d73396bfc3806c9196fc8108f33cd8/CHANGES.txt#L14-L16 [No types assigned]

MITRE https://security-tracker.debian.org/tracker/source-package/trilead-ssh2 [No types assigned]

MITRE https://www.openwall.com/lists/oss-security/2023/12/20/3 [No types assigned]

The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in [email protected] and (if CBC is used) the [email protected] MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD 1.3.9rc1, ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust; and there could be effects on Bitvise SSH through 9.31.

The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in [email protected] and (if CBC is used) the [email protected] MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust; and there could be effects on Bitvise SSH through 9.31.

MITRE https://github.com/apache/mina-sshd/issues/445 [No types assigned]

MITRE https://github.com/hierynomus/sshj/issues/916 [No types assigned]

MITRE https://github.com/janmojzis/tinyssh/issues/81 [No types assigned]

MITRE https://github.com/proftpd/proftpd/blob/0a7ea9b0ba9fcdf368374a226370d08f10397d99/RELEASE_NOTES [No types assigned]

MITRE https://github.com/proftpd/proftpd/blob/d21e7a2e47e9b38f709bec58e3fa711f759ad0e1/RELEASE_NOTES [No types assigned]

MITRE http://www.openwall.com/lists/oss-security/2023/12/20/3 [No types assigned]

MITRE https://arstechnica.com/security/2023/12/hackers-can-break-ssh-channel-integrity-using-novel-data-corruption-attack/ [No types assigned]

MITRE https://www.freebsd.org/security/advisories/FreeBSD-SA-23:19.openssh.asc [No types assigned]

MITRE http://www.openwall.com/lists/oss-security/2023/12/19/5 [No types assigned]

The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in [email protected] and (if CBC is used) the [email protected] MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, and libssh2 through 1.11.0; and there could be effects on Bitvise SSH through 9.31.

The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in [email protected] and (if CBC is used) the [email protected] MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD 1.3.9rc1, ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust; and there could be effects on Bitvise SSH through 9.31.

MITRE https://crates.io/crates/thrussh/versions [No types assigned]

MITRE https://github.com/NixOS/nixpkgs/pull/275249 [No types assigned]

MITRE https://github.com/TeraTermProject/teraterm/releases/tag/v5.1 [No types assigned]

MITRE https://github.com/connectbot/sshlib/commit/5c8b534f6e97db7ac0e0e579331213aa25c173ab [No types assigned]

MITRE https://github.com/connectbot/sshlib/compare/2.2.21...2.2.22 [No types assigned]

MITRE https://github.com/mscdex/ssh2/commit/97b223f8891b96d6fc054df5ab1d5a1a545da2a3 [No types assigned]

MITRE https://github.com/mwiede/jsch/compare/jsch-0.2.14...jsch-0.2.15 [No types assigned]

MITRE https://github.com/proftpd/proftpd/blob/master/RELEASE_NOTES [No types assigned]

MITRE https://github.com/proftpd/proftpd/issues/456 [No types assigned]

MITRE https://nest.pijul.com/pijul/thrussh/changes/D6H7OWTTMHHX6BTB3B6MNBOBX2L66CBL4LGSEUSAI2MCRCJDQFRQC [No types assigned]

MITRE https://oryx-embedded.com/download/#changelog [No types assigned]

MITRE https://www.crushftp.com/crush10wiki/Wiki.jsp?page=Update [No types assigned]

MITRE https://www.netsarang.com/en/xshell-update-history/ [No types assigned]

MITRE https://www.paramiko.org/changelog.html [No types assigned]

The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in [email protected] and (if CBC is used) the [email protected] MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, and libssh before 0.10.6; and there could be effects on Bitvise SSH through 9.31.

The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in [email protected] and (if CBC is used) the [email protected] MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, and libssh2 through 1.11.0; and there could be effects on Bitvise SSH through 9.31.

MITRE https://forum.netgate.com/topic/184941/terrapin-ssh-attack [No types assigned]

MITRE https://github.com/jtesta/ssh-audit/commit/8e972c5e94b460379fe0c7d20209c16df81538a5 [No types assigned]

MITRE https://github.com/rapier1/hpn-ssh/releases [No types assigned]

MITRE https://github.com/libssh2/libssh2/pull/1291 [No types assigned]

MITRE https://access.redhat.com/security/cve/cve-2023-48795 [No types assigned]

MITRE https://bugs.gentoo.org/920280 [No types assigned]

MITRE https://bugzilla.redhat.com/show_bug.cgi?id=2254210 [No types assigned]

MITRE https://bugzilla.suse.com/show_bug.cgi?id=1217950 [No types assigned]

MITRE https://github.com/advisories/GHSA-45x7-px36-x8w8 [No types assigned]

MITRE https://github.com/drakkan/sftpgo/releases/tag/v2.5.6 [No types assigned]

MITRE https://github.com/erlang/otp/releases/tag/OTP-26.2.1 [No types assigned]

MITRE https://github.com/mwiede/jsch/pull/461 [No types assigned]

MITRE https://security-tracker.debian.org/tracker/CVE-2023-48795 [No types assigned]

MITRE https://security-tracker.debian.org/tracker/source-package/libssh2 [No types assigned]

MITRE https://security-tracker.debian.org/tracker/source-package/proftpd-dfsg [No types assigned]

MITRE https://ubuntu.com/security/CVE-2023-48795 [No types assigned]

MITRE https://www.suse.com/c/suse-addresses-the-ssh-v2-protocol-terrapin-attack-aka-cve-2023-48795/ [No types assigned]

The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in [email protected] and (if CBC is used) the [email protected] MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, and golang.org/x/crypto before 0.17.0; and there could be effects on Bitvise SSH through 9.31 and libssh through 0.10.5.

The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in [email protected] and (if CBC is used) the [email protected] MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, and libssh before 0.10.6; and there could be effects on Bitvise SSH through 9.31.

MITRE https://git.libssh.org/projects/libssh.git/commit/?h=stable-0.10&id=10e09e273f69e149389b3e0e5d44b8c221c2e7f6 [No types assigned]

MITRE https://github.com/mwiede/jsch/issues/457 [No types assigned]

The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in [email protected] and (if CBC is used) the [email protected] MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, and AsyncSSH before 2.14.2; and there could be effects on Bitvise SSH through 9.31, libssh through 0.10.5, and golang.org/x/crypto through 2023-12-17.

The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in [email protected] and (if CBC is used) the [email protected] MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, and golang.org/x/crypto before 0.17.0; and there could be effects on Bitvise SSH through 9.31 and libssh through 0.10.5.

MITRE http://www.openwall.com/lists/oss-security/2023/12/18/3 [No types assigned]

MITRE https://github.com/paramiko/paramiko/issues/2337 [No types assigned]

MITRE https://groups.google.com/g/golang-announce/c/qA3XtxvMUyg [No types assigned]

MITRE https://news.ycombinator.com/item?id=38684904 [No types assigned]

MITRE https://news.ycombinator.com/item?id=38685286 [No types assigned]

The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in [email protected] and (if CBC is used) the [email protected] MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, and PuTTY before 0.80; and there could be effects on Bitvise SSH through 9.31, AsyncSSH through 2.14.1, libssh through 0.10.5, and golang.org/x/crypto through 2023-12-17.

The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in [email protected] and (if CBC is used) the [email protected] MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, and AsyncSSH before 2.14.2; and there could be effects on Bitvise SSH through 9.31, libssh through 0.10.5, and golang.org/x/crypto through 2023-12-17.

MITRE https://github.com/TeraTermProject/teraterm/commit/7279fbd6ef4d0c8bdd6a90af4ada2899d786eec0 [No types assigned]

MITRE https://github.com/golang/crypto/commit/9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d [No types assigned]

MITRE https://github.com/ronf/asyncssh/blob/develop/docs/changes.rst [No types assigned]

MITRE https://github.com/warp-tech/russh/releases/tag/v0.40.2 [No types assigned]

MITRE https://thorntech.com/cve-2023-48795-and-sftp-gateway/ [No types assigned]

MITRE https://twitter.com/TrueSkrillor/status/1736774389725565005 [No types assigned]

MITRE https://www.openwall.com/lists/oss-security/2023/12/18/2 [No types assigned]

The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in [email protected] and (if CBC is used) the [email protected] MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, and PuTTY before 0.80; and there could be effects on Bitvise SSH through 9.31, AsyncSSH through 2.14.1, libssh through 0.10.5, and golang.org/x/crypto through 2023-12-17.

MITRE https://github.com/erlang/otp/blob/d1b43dc0f1361d2ad67601169e90a7fc50bb0369/lib/ssh/doc/src/notes.xml#L39-L42 [No types assigned]

MITRE https://github.com/mkj/dropbear/blob/17657c36cce6df7716d5ff151ec09a665382d5dd/CHANGES#L25 [No types assigned]

MITRE https://github.com/openssh/openssh-portable/commits/master [No types assigned]

MITRE https://github.com/ronf/asyncssh/tags [No types assigned]

MITRE https://gitlab.com/libssh/libssh-mirror/-/tags [No types assigned]

MITRE https://groups.google.com/g/golang-announce/c/-n5WqVC18LQ [No types assigned]

MITRE https://jadaptive.com/important-java-ssh-security-update-new-ssh-vulnerability-discovered-cve-2023-48795/ [No types assigned]

MITRE https://matt.ucc.asn.au/dropbear/CHANGES [No types assigned]

MITRE https://www.bitvise.com/ssh-server-version-history [No types assigned]

MITRE https://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html [No types assigned]

MITRE https://www.openssh.com/openbsd.html [No types assigned]

MITRE https://www.openssh.com/txt/release-9.6 [No types assigned]

MITRE https://www.reddit.com/r/sysadmin/comments/18idv52/cve202348795_why_is_this_cve_still_undisclosed/ [No types assigned]

MITRE https://www.terrapin-attack.com [No types assigned]