{"id":"MGASA-2024-0002","summary":"Updated libssh2 packages fix a security vulnerability (Terrapin Attack)","details":"The SSH transport protocol with certain OpenSSH extensions, found in\nOpenSSH before 9.6 and other products, allows remote attackers to bypass\nintegrity checks such that some packets are omitted (from the extension\nnegotiation message), and a client and server may consequently end up\nwith a connection for which some security features have been downgraded\nor disabled, aka a Terrapin attack. This occurs because the SSH Binary\nPacket Protocol (BPP), implemented by these extensions, mishandles the\nhandshake phase and mishandles use of sequence numbers.\nOur libssh2 packages were also affected, this update fixes the issue.\n","modified":"2026-01-30T03:40:42.053084Z","published":"2024-01-08T10:12:44Z","related":["CVE-2023-48795"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2024-0002.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=32662"},{"type":"REPORT","url":"https://github.com/libssh2/libssh2/issues/1290"}],"affected":[{"package":{"name":"libssh2","ecosystem":"Mageia:9","purl":"pkg:rpm/mageia/libssh2?arch=source&distro=mageia-9"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.10.0-3.1.mga9"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2024-0002.json"}}],"schema_version":"1.7.3","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}