Bug 2254210 (CVE-2023-48795) - CVE-2023-48795 ssh: Prefix truncation attack on Binary Packet Protocol (BPP)
Summary: CVE-2023-48795 ssh: Prefix truncation attack on Binary Packet Protocol (BPP)
Keywords:
Status: MODIFIED
Alias: CVE-2023-48795
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2255041 2255065 2255067 2255068 2255069 2255862 2254752 2254753 2254754 2254755 2254756 2254757 2254758 2254759 2254760 2254761 2254762 2254763 2254764 2254765 2254766 2254767 2254768 2254770 2255042 2255043 2255044 2255045 2255046 2255047 2255048 2255049 2255050 2255051 2255052 2255053 2255054 2255055 2255056 2255057 2255058 2255059 2255060 2255061 2255062 2255063 2255064 2255066 2255070 2255071 2255072 2255073 2255074 2255075 2255076 2255077 2255078 2255080 2255081 2255082 2255083 2255084 2255085 2255086 2255087 2255089 2255090 2255091 2255092 2255093 2255094 2255095 2255096 2255097 2255098 2255099 2255100 2255101 2255102 2255103 2255104 2255105 2255106 2255107 2255108 2255109 2255125 2255863 2255864 2255865 2255866 2255907 2255908 2255909 2255910 2255911 2255912 2255913 2257947 2279580
Blocks: 2254204
TreeView+ depends on / blocked
 
Reported: 2023-12-12 16:59 UTC by Patrick Del Bello
Modified: 2025-05-15 08:28 UTC (History)
238 users (show)

Fixed In Version: PuTTY 0.80, AsyncSSH 2.14.1, libssh 0.9.8, libssh 0.10.6, golang.org/x/crypto/ssh 0.17.0
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2024:0545 0 None None None 2024-01-29 14:35:35 UTC
Red Hat Product Errata RHBA-2024:0639 0 None None None 2024-02-01 07:56:18 UTC
Red Hat Product Errata RHBA-2024:0931 0 None None None 2024-02-21 01:00:58 UTC
Red Hat Product Errata RHBA-2024:0932 0 None None None 2024-02-21 01:01:16 UTC
Red Hat Product Errata RHBA-2024:0933 0 None None None 2024-02-21 01:01:29 UTC
Red Hat Product Errata RHBA-2024:1009 0 None None None 2024-02-27 19:49:34 UTC
Red Hat Product Errata RHBA-2024:1010 0 None None None 2024-02-27 20:48:14 UTC
Red Hat Product Errata RHBA-2024:1011 0 None None None 2024-02-27 21:40:28 UTC
Red Hat Product Errata RHSA-2023:7197 0 None None None 2024-02-27 19:48:05 UTC
Red Hat Product Errata RHSA-2023:7198 0 None None None 2024-02-27 20:50:10 UTC
Red Hat Product Errata RHSA-2023:7201 0 None None None 2024-02-27 22:29:10 UTC
Red Hat Product Errata RHSA-2024:0040 0 None None None 2024-06-27 10:52:40 UTC
Red Hat Product Errata RHSA-2024:0041 0 None None None 2024-06-27 11:23:29 UTC
Red Hat Product Errata RHSA-2024:0429 0 None None None 2024-01-24 16:49:29 UTC
Red Hat Product Errata RHSA-2024:0455 0 None None None 2024-01-24 16:40:30 UTC
Red Hat Product Errata RHSA-2024:0499 0 None None None 2024-01-25 15:31:37 UTC
Red Hat Product Errata RHSA-2024:0538 0 None None None 2024-01-29 08:20:17 UTC
Red Hat Product Errata RHSA-2024:0594 0 None None None 2024-01-30 14:08:09 UTC
Red Hat Product Errata RHSA-2024:0606 0 None None None 2024-01-30 14:53:45 UTC
Red Hat Product Errata RHSA-2024:0625 0 None None None 2024-01-31 08:29:53 UTC
Red Hat Product Errata RHSA-2024:0628 0 None None None 2024-01-31 08:40:29 UTC
Red Hat Product Errata RHSA-2024:0722 0 None None None 2024-02-12 15:24:54 UTC
Red Hat Product Errata RHSA-2024:0766 0 None None None 2024-02-28 08:11:17 UTC
Red Hat Product Errata RHSA-2024:0789 0 None None None 2024-02-12 16:02:21 UTC
Red Hat Product Errata RHSA-2024:0843 0 None None None 2024-02-15 12:55:45 UTC
Red Hat Product Errata RHSA-2024:0880 0 None None None 2024-02-20 11:03:47 UTC
Red Hat Product Errata RHSA-2024:0954 0 None None None 2024-02-27 15:17:02 UTC
Red Hat Product Errata RHSA-2024:1130 0 None None None 2024-03-05 18:12:05 UTC
Red Hat Product Errata RHSA-2024:1150 0 None None None 2024-03-05 18:13:40 UTC
Red Hat Product Errata RHSA-2024:1192 0 None None None 2024-03-06 15:30:30 UTC
Red Hat Product Errata RHSA-2024:1193 0 None None None 2024-03-06 15:29:57 UTC
Red Hat Product Errata RHSA-2024:1194 0 None None None 2024-03-06 15:38:41 UTC
Red Hat Product Errata RHSA-2024:1196 0 None None None 2024-03-06 17:55:04 UTC
Red Hat Product Errata RHSA-2024:1197 0 None None None 2024-03-06 17:52:38 UTC
Red Hat Product Errata RHSA-2024:1210 0 None None None 2024-03-13 15:32:11 UTC
Red Hat Product Errata RHSA-2024:1557 0 None None None 2024-03-28 05:31:29 UTC
Red Hat Product Errata RHSA-2024:1674 0 None None None 2024-04-04 15:21:17 UTC
Red Hat Product Errata RHSA-2024:1675 0 None None None 2024-04-04 15:20:48 UTC
Red Hat Product Errata RHSA-2024:1676 0 None None None 2024-04-04 15:20:14 UTC
Red Hat Product Errata RHSA-2024:1677 0 None None None 2024-04-04 15:23:05 UTC
Red Hat Product Errata RHSA-2024:1859 0 None None None 2024-04-16 17:26:24 UTC
Red Hat Product Errata RHSA-2024:2728 0 None None None 2024-05-29 19:50:39 UTC
Red Hat Product Errata RHSA-2024:2735 0 None None None 2024-05-22 20:34:58 UTC
Red Hat Product Errata RHSA-2024:2768 0 None None None 2024-05-22 20:37:38 UTC
Red Hat Product Errata RHSA-2024:2988 0 None None None 2024-05-22 09:28:51 UTC
Red Hat Product Errata RHSA-2024:3479 0 None None None 2024-05-29 21:40:42 UTC
Red Hat Product Errata RHSA-2024:3634 0 None None None 2024-06-05 14:44:39 UTC
Red Hat Product Errata RHSA-2024:3635 0 None None None 2024-06-05 14:45:12 UTC
Red Hat Product Errata RHSA-2024:3636 0 None None None 2024-06-05 14:44:07 UTC
Red Hat Product Errata RHSA-2024:3718 0 None None None 2024-10-01 17:30:21 UTC
Red Hat Product Errata RHSA-2024:3918 0 None None None 2024-06-19 15:00:29 UTC
Red Hat Product Errata RHSA-2024:4010 0 None None None 2024-06-26 02:06:26 UTC
Red Hat Product Errata RHSA-2024:4151 0 None None None 2024-07-02 19:33:02 UTC
Red Hat Product Errata RHSA-2024:4329 0 None None None 2024-07-11 11:54:42 UTC
Red Hat Product Errata RHSA-2024:4479 0 None None None 2024-07-17 00:38:46 UTC
Red Hat Product Errata RHSA-2024:4484 0 None None None 2024-07-17 01:36:57 UTC
Red Hat Product Errata RHSA-2024:4597 0 None None None 2024-07-17 18:47:12 UTC
Red Hat Product Errata RHSA-2024:4613 0 None None None 2024-07-24 18:53:31 UTC
Red Hat Product Errata RHSA-2024:4662 0 None None None 2024-07-18 19:25:42 UTC
Red Hat Product Errata RHSA-2024:4955 0 None None None 2024-08-07 01:16:49 UTC
Red Hat Product Errata RHSA-2024:4959 0 None None None 2024-08-07 10:19:10 UTC
Red Hat Product Errata RHSA-2024:4960 0 None None None 2024-08-07 10:52:10 UTC
Red Hat Product Errata RHSA-2024:5200 0 None None None 2024-08-19 05:41:06 UTC
Red Hat Product Errata RHSA-2024:5432 0 None None None 2024-08-21 21:43:12 UTC
Red Hat Product Errata RHSA-2024:5433 0 None None None 2024-08-22 11:42:08 UTC
Red Hat Product Errata RHSA-2024:5438 0 None None None 2024-08-21 03:37:17 UTC
Red Hat Product Errata RHSA-2024:6406 0 None None None 2024-09-11 18:34:31 UTC
Red Hat Product Errata RHSA-2024:8235 0 None None None 2024-10-23 13:15:28 UTC

Description Patrick Del Bello 2023-12-12 16:59:59 UTC 
Prefix truncation attack on BPP: By manipulating sequence numbers during the handshake, an attacker can remove the initial messages on the secure 
channel without causing a MAC failure. The vulnerable cipher modes are ChaCha20-Poly1305 (chacha20-poly1305) and Encrypt-then-MAC (-etm MAC algorithms).
Comment 7 Sandipan Roy 2023-12-18 17:44:27 UTC 
Created age tracking bugs for this issue:

Affects: fedora-all [bug 2255071]


Created ansible-collection-ansible-netcommon tracking bugs for this issue:

Affects: fedora-all [bug 2255055]
Affects: openstack-rdo [bug 2255059]


Created apptainer tracking bugs for this issue:

Affects: epel-all [bug 2255062]
Affects: fedora-all [bug 2255072]


Created buildah tracking bugs for this issue:

Affects: fedora-all [bug 2255073]


Created caddy tracking bugs for this issue:

Affects: epel-all [bug 2255063]
Affects: fedora-all [bug 2255074]


Created cri-o tracking bugs for this issue:

Affects: fedora-all [bug 2255075]


Created cri-o:1.21/cri-o tracking bugs for this issue:

Affects: epel-all [bug 2255064]


Created cri-o:1.22/cri-o tracking bugs for this issue:

Affects: fedora-all [bug 2255076]


Created cri-o:1.23/cri-o tracking bugs for this issue:

Affects: fedora-all [bug 2255077]


Created cri-o:1.24/cri-o tracking bugs for this issue:

Affects: fedora-all [bug 2255078]


Created cri-o:1.25/cri-o tracking bugs for this issue:

Affects: fedora-all [bug 2255080]


Created cri-o:1.26/cri-o tracking bugs for this issue:

Affects: fedora-all [bug 2255081]


Created cri-o:1.27/cri-o tracking bugs for this issue:

Affects: fedora-all [bug 2255082]


Created docker-compose tracking bugs for this issue:

Affects: fedora-all [bug 2255056]


Created doctl tracking bugs for this issue:

Affects: fedora-all [bug 2255083]


Created dropbear tracking bugs for this issue:

Affects: epel-all [bug 2255041]
Affects: fedora-all [bug 2255042]


Created duplicity tracking bugs for this issue:

Affects: fedora-all [bug 2255057]


Created gh tracking bugs for this issue:

Affects: fedora-all [bug 2255084]


Created golang-github-cloudflare-cfssl tracking bugs for this issue:

Affects: fedora-all [bug 2255085]


Created golang-github-cloudflare-redoctober tracking bugs for this issue:

Affects: fedora-all [bug 2255086]


Created golang-github-facebookincubator-go2chef tracking bugs for this issue:

Affects: fedora-all [bug 2255087]


Created golang-github-francoispqt-gojay tracking bugs for this issue:

Affects: fedora-all [bug 2255089]


Created golang-github-git-5 tracking bugs for this issue:

Affects: fedora-all [bug 2255090]


Created golang-github-hashicorp-hc-install tracking bugs for this issue:

Affects: fedora-all [bug 2255091]


Created golang-github-in-toto tracking bugs for this issue:

Affects: fedora-all [bug 2255092]


Created golang-github-moby-buildkit tracking bugs for this issue:

Affects: fedora-all [bug 2255093]


Created golang-github-theoapp-theo-agent tracking bugs for this issue:

Affects: fedora-all [bug 2255094]


Created golang-googlecode-go-crypto tracking bugs for this issue:

Affects: epel-all [bug 2255065]


Created golang-x-crypto tracking bugs for this issue:

Affects: epel-all [bug 2255066]
Affects: fedora-all [bug 2255095]


Created gomtree tracking bugs for this issue:

Affects: fedora-all [bug 2255096]


Created gopass tracking bugs for this issue:

Affects: fedora-all [bug 2255097]


Created gopass-hibp tracking bugs for this issue:

Affects: fedora-all [bug 2255098]


Created gopass-jsonapi tracking bugs for this issue:

Affects: fedora-all [bug 2255099]


Created gvisor-tap-vsock tracking bugs for this issue:

Affects: fedora-all [bug 2255100]


Created libssh tracking bugs for this issue:

Affects: epel-all [bug 2255045]
Affects: fedora-all [bug 2255047]


Created libssh2 tracking bugs for this issue:

Affects: epel-all [bug 2255046]
Affects: fedora-all [bug 2255048]


Created mingw-libssh2 tracking bugs for this issue:

Affects: fedora-all [bug 2255049]


Created nebula tracking bugs for this issue:

Affects: fedora-all [bug 2255101]


Created pack tracking bugs for this issue:

Affects: epel-all [bug 2255067]
Affects: fedora-all [bug 2255102]


Created podman tracking bugs for this issue:

Affects: fedora-all [bug 2255103]


Created podman-tui tracking bugs for this issue:

Affects: fedora-all [bug 2255104]


Created proftpd tracking bugs for this issue:

Affects: epel-all [bug 2255052]
Affects: fedora-all [bug 2255053]


Created prometheus-podman-exporter tracking bugs for this issue:

Affects: fedora-all [bug 2255105]


Created putty tracking bugs for this issue:

Affects: epel-all [bug 2255050]
Affects: fedora-all [bug 2255051]


Created python-asyncssh tracking bugs for this issue:

Affects: epel-all [bug 2255043]
Affects: fedora-all [bug 2255044]


Created python-docker tracking bugs for this issue:

Affects: epel-all [bug 2255054]
Affects: openstack-rdo [bug 2255060]


Created python-network-runner tracking bugs for this issue:

Affects: fedora-all [bug 2255058]
Affects: openstack-rdo [bug 2255061]


Created rclone tracking bugs for this issue:

Affects: epel-all [bug 2255068]
Affects: fedora-all [bug 2255106]


Created restic tracking bugs for this issue:

Affects: epel-all [bug 2255069]
Affects: fedora-all [bug 2255107]


Created singularity-ce tracking bugs for this issue:

Affects: epel-all [bug 2255070]
Affects: fedora-all [bug 2255108]


Created vagrant tracking bugs for this issue:

Affects: fedora-all [bug 2255109]
Comment 8 Sandipan Roy 2023-12-18 19:22:50 UTC 
Created openssh tracking bugs for this issue:

Affects: fedora-all [bug 2255125]
Comment 9 Sandipan Roy 2023-12-18 19:29:44 UTC 
Mitigation:

You can disable the following ciphers and HMACs as a workaround  on RHEL-8 and RHEL-9:
 1. chacha20-poly1305
 2. hmac-sha2-512-etm
 3. hmac-sha2-256-etm
 4. hmac-sha1-etm
 5. hmac-md5-etm

To do that through crypto-policies, one can apply a subpolicy with the following content:
```
cipher@SSH = -CHACHA20-POLY1305
ssh_etm = 0
```
e.g., by putting these lines into `/etc/crypto-policies/policies/modules/CVE-2023-48795.pmod`, applying the resulting subpolicy with `update-crypto-policies --set $(update-crypto-policies --show):CVE-2023-48795` and restarting openssh server.

One can verify that the changes are in effect by ensuring the ciphers listed above are missing from both `/etc/crypto-policies/back-ends/openssh.config` and `/etc/crypto-policies/back-ends/opensshserver.config`.

For more details on using crypto-policies, please refer to https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening

Note that this procedure does limit the interoperability of the host and is only suggested as a temporary mitigation until the issue is fully resolved with an update.
Comment 12 Vít Ondruch 2023-12-19 09:00:30 UTC 
(In reply to Sandipan Roy from comment #7)
> Created vagrant tracking bugs for this issue:
> 
> Affects: fedora-all [bug 2255109]

@saroy Would you mind elaborate how Vagrant got on the list? I think that Vagrant uses rubygem-net-ssh for the SSH. So is it vulnerable? Should the ciphers be disabled there? Is the upstream aware?

This report unfortunately does not provide too much information.
Comment 13 Sandipan Roy 2023-12-19 09:07:58 UTC 
In reply to comment #12:
> (In reply to Sandipan Roy from comment #7)
> > Created vagrant tracking bugs for this issue:
> > 
> > Affects: fedora-all [bug 2255109]
> 
> @saroy Would you mind elaborate how Vagrant got on the list? I
> think that Vagrant uses rubygem-net-ssh for the SSH. So is it vulnerable?
> Should the ciphers be disabled there? Is the upstream aware?
> 
> This report unfortunately does not provide too much information.

vagrant is listed becuase of this below golang dependency:

$ depcli -svv golang.org/x/crypto/ssh -e golang | grep vagrant 
fedora-39	vagrant-2.3.4-3.fc39	(golang.org/x/crypto/ssh.0-20201002170205-7f63de1d35b0, golang)
Comment 14 Vít Ondruch 2023-12-19 10:19:24 UTC 
(In reply to Sandipan Roy from comment #13)
> In reply to comment #12:
> > (In reply to Sandipan Roy from comment #7)
> > > Created vagrant tracking bugs for this issue:
> > > 
> > > Affects: fedora-all [bug 2255109]
> > 
> > @saroy Would you mind elaborate how Vagrant got on the list? I
> > think that Vagrant uses rubygem-net-ssh for the SSH. So is it vulnerable?
> > Should the ciphers be disabled there? Is the upstream aware?
> > 
> > This report unfortunately does not provide too much information.
> 
> vagrant is listed becuase of this below golang dependency:
> 
> $ depcli -svv golang.org/x/crypto/ssh -e golang | grep vagrant 
> fedora-39	vagrant-2.3.4-3.fc39
> (golang.org/x/crypto/ssh.0-20201002170205-7f63de1d35b0, golang)

Thx for elaborating. Is it possible to provide this level of detail in the future? As you can see, something like this never came to my mind.
Comment 17 Peter Ajamian 2023-12-21 01:55:28 UTC 
Looking for a mitigation for RHEL 7, does this appear to be correct?

/etc/ssh/ssh_config:
```
Ciphers 3des-cbc,blowfish-cbc,cast128-cbc,arcfour,arcfour128,arcfour256,aes128-cbc,aes192-cbc,aes256-cbc,rijndael-cbc.se,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm,aes256-gcm
MACs hmac-sha1,hmac-sha1-96,hmac-sha2-256,hmac-sha2-512,hmac-md5,hmac-md5-96,hmac-ripemd160,hmac-ripemd160,umac-64,umac-128
```

/etc/ssh/sshd_config:
```
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm,aes256-gcm,aes128-cbc,aes192-cbc,aes256-cbc,blowfish-cbc,cast128-cbc,3des-cbc
MACs umac-64,umac-128,hmac-sha2-256,hmac-sha2-512,hmac-sha1
```

...or basically to remove the chacha cipher and etm macs from both configs.  To get a list of the current ciphers and macs:
```
ssh -Q cipher
ssh -Q mac
sshd -T | grep -e '^ciphers ' -e '^macs '
```
Comment 18 ybuenos 2023-12-25 20:33:50 UTC 
Created erlang tracking bugs for this issue:

Affects: epel-all [bug 2255862]
Affects: fedora-all [bug 2255863]
Comment 20 Patrick Del Bello 2023-12-26 15:50:45 UTC 
Created python-paramiko tracking bugs for this issue:

Affects: epel-all [bug 2255907]
Affects: fedora-all [bug 2255908]
Affects: openstack-rdo [bug 2255912]
Comment 22 Ravindra Patil 2024-01-03 15:48:59 UTC 
Hello Peter

You did remove chacha cipher and etm macs, but the ciphers you referred continue to use weak ciphers like CBC, which will continue report cbc related vulnerabilities.

To mitigate the CVE-2023-48795 and avoid other vulnerabilities to be reported, we can recommend to use strict MACs and Ciphers on RHEL7 in both files /etc/ssh/ssh_config and /etc/ssh/sshd_config.

Below strict set of Ciphers and MACs can be used as mitigation for RHEL 7.

```
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm,aes256-gcm
MACs umac-64,umac-128,hmac-sha2-256,hmac-sha2-512
```

OR

Remove the chacha cipher and etm macs from both config options which are currently configured.
```
ssh -Q cipher
ssh -Q mac
sshd -T | grep -e '^ciphers ' -e '^macs '
```

Regards
Ravindra
Comment 24 Fedora Update System 2024-01-11 00:39:59 UTC 
FEDORA-EPEL-2024-b45b6eada5 has been pushed to the Fedora EPEL 9 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 31 errata-xmlrpc 2024-01-24 16:40:20 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:0455 https://access.redhat.com/errata/RHSA-2024:0455
Comment 32 errata-xmlrpc 2024-01-24 16:49:17 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2024:0429 https://access.redhat.com/errata/RHSA-2024:0429
Comment 33 errata-xmlrpc 2024-01-25 15:31:26 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:0499 https://access.redhat.com/errata/RHSA-2024:0499
Comment 34 errata-xmlrpc 2024-01-29 08:20:03 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2024:0538 https://access.redhat.com/errata/RHSA-2024:0538
Comment 35 errata-xmlrpc 2024-01-30 14:07:55 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2024:0594 https://access.redhat.com/errata/RHSA-2024:0594
Comment 36 errata-xmlrpc 2024-01-30 14:53:32 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:0606 https://access.redhat.com/errata/RHSA-2024:0606
Comment 37 errata-xmlrpc 2024-01-31 08:29:40 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2024:0625 https://access.redhat.com/errata/RHSA-2024:0625
Comment 38 errata-xmlrpc 2024-01-31 08:40:18 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:0628 https://access.redhat.com/errata/RHSA-2024:0628
Comment 39 Alexander Peslyak 2024-02-05 00:52:29 UTC 
Giving the timing, the problem report here may indicate there's an issue with the RHEL8 fix - https://superuser.com/questions/1828501/how-to-solve-ssh-connection-corrupted-error - or it could be unrelated. Just a heads up.
Comment 40 ketan kothari 2024-02-05 23:07:37 UTC 
There is a known issue with this version : https://github.com/oracle/oracle-linux/issues/125 and Oracle has pulled back this patch for now from their repos. So running below will restore access.

sudo dnf downgrade openssh-server
sudo dnf clean all

This will update the packages openssh , openssh-clients , openssh-server back to openssh-server-8.0p1-19.el8_8.x86_64 from current openssh-server-8.0p1-19.el8_8.x86_64
Comment 41 ketan kothari 2024-02-05 23:08:20 UTC 
There is a known issue with this version : https://github.com/oracle/oracle-linux/issues/125 and Oracle has pulled back this patch for now from their repos. So running below will restore access.

sudo dnf downgrade openssh-server
sudo dnf clean all

This will update the packages openssh , openssh-clients , openssh-server back to openssh-server-8.0p1-19.el8_8.x86_64 from current openssh-server-8.0p1-19.el8_8.x86_64
Comment 42 errata-xmlrpc 2024-02-12 15:24:43 UTC 
This issue has been addressed in the following products:

  Red Hat build of Quarkus 3.2.10

Via RHSA-2024:0722 https://access.redhat.com/errata/RHSA-2024:0722
Comment 43 errata-xmlrpc 2024-02-12 16:02:09 UTC 
This issue has been addressed in the following products:

  RHBOAC camel-quarkus 3 (camel-4.0/quarkus-3.2)

Via RHSA-2024:0789 https://access.redhat.com/errata/RHSA-2024:0789
Comment 44 errata-xmlrpc 2024-02-15 12:55:33 UTC 
This issue has been addressed in the following products:

  RHOSS-1.31-RHEL-8

Via RHSA-2024:0843 https://access.redhat.com/errata/RHSA-2024:0843
Comment 45 errata-xmlrpc 2024-02-20 11:03:37 UTC 
This issue has been addressed in the following products:

  Openshift Serverless 1 on RHEL 8

Via RHSA-2024:0880 https://access.redhat.com/errata/RHSA-2024:0880
Comment 46 errata-xmlrpc 2024-02-27 15:16:48 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2024:0954 https://access.redhat.com/errata/RHSA-2024:0954
Comment 47 errata-xmlrpc 2024-02-27 19:47:51 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2023:7197 https://access.redhat.com/errata/RHSA-2023:7197
Comment 53 errata-xmlrpc 2024-02-27 20:49:57 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2023:7198 https://access.redhat.com/errata/RHSA-2023:7198
Comment 54 errata-xmlrpc 2024-02-27 22:28:58 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2023:7201 https://access.redhat.com/errata/RHSA-2023:7201
Comment 56 errata-xmlrpc 2024-02-28 08:11:05 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2024:0766 https://access.redhat.com/errata/RHSA-2024:0766
Comment 57 errata-xmlrpc 2024-03-05 18:11:55 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:1130 https://access.redhat.com/errata/RHSA-2024:1130
Comment 58 errata-xmlrpc 2024-03-05 18:13:27 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:1150 https://access.redhat.com/errata/RHSA-2024:1150
Comment 59 errata-xmlrpc 2024-03-06 15:29:42 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9

Via RHSA-2024:1193 https://access.redhat.com/errata/RHSA-2024:1193
Comment 60 errata-xmlrpc 2024-03-06 15:30:15 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8

Via RHSA-2024:1192 https://access.redhat.com/errata/RHSA-2024:1192
Comment 61 errata-xmlrpc 2024-03-06 15:38:27 UTC 
This issue has been addressed in the following products:

  EAP 8.0.1

Via RHSA-2024:1194 https://access.redhat.com/errata/RHSA-2024:1194
Comment 62 errata-xmlrpc 2024-03-06 17:52:26 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2024:1197 https://access.redhat.com/errata/RHSA-2024:1197
Comment 63 errata-xmlrpc 2024-03-06 17:54:50 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7
  Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8
  Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9

Via RHSA-2024:1196 https://access.redhat.com/errata/RHSA-2024:1196
Comment 64 errata-xmlrpc 2024-03-13 15:31:59 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2024:1210 https://access.redhat.com/errata/RHSA-2024:1210
Comment 65 coldford@redhat.com 2024-03-15 12:45:00 UTC 
Hello,

Are there plans to backport the fix to Red Hat OpenShift Container Platform 4.10 and Red Hat OpenShift Container Platform 4.12 ?

Cory Oldford
Comment 68 errata-xmlrpc 2024-03-28 05:31:18 UTC 
This issue has been addressed in the following products:

  OPENSHIFT-BUILDS-1.0-RHEL-8

Via RHSA-2024:1557 https://access.redhat.com/errata/RHSA-2024:1557
Comment 69 errata-xmlrpc 2024-04-04 15:20:02 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9

Via RHSA-2024:1676 https://access.redhat.com/errata/RHSA-2024:1676
Comment 70 errata-xmlrpc 2024-04-04 15:20:35 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8

Via RHSA-2024:1675 https://access.redhat.com/errata/RHSA-2024:1675
Comment 71 errata-xmlrpc 2024-04-04 15:21:05 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7

Via RHSA-2024:1674 https://access.redhat.com/errata/RHSA-2024:1674
Comment 72 errata-xmlrpc 2024-04-04 15:22:52 UTC 
This issue has been addressed in the following products:

  EAP 7.4.16

Via RHSA-2024:1677 https://access.redhat.com/errata/RHSA-2024:1677
Comment 73 errata-xmlrpc 2024-04-16 17:26:12 UTC 
This issue has been addressed in the following products:

  OADP-1.3-RHEL-9

Via RHSA-2024:1859 https://access.redhat.com/errata/RHSA-2024:1859
Comment 77 errata-xmlrpc 2024-05-22 09:28:34 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:2988 https://access.redhat.com/errata/RHSA-2024:2988
Comment 79 errata-xmlrpc 2024-05-22 20:34:42 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 17.1 for RHEL 9

Via RHSA-2024:2735 https://access.redhat.com/errata/RHSA-2024:2735
Comment 80 errata-xmlrpc 2024-05-22 20:37:20 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 17.1 for RHEL 8

Via RHSA-2024:2768 https://access.redhat.com/errata/RHSA-2024:2768
Comment 81 errata-xmlrpc 2024-05-29 19:50:23 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 17.1 for RHEL 9

Via RHSA-2024:2728 https://access.redhat.com/errata/RHSA-2024:2728
Comment 82 errata-xmlrpc 2024-05-29 21:40:27 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.2

Via RHSA-2024:3479 https://access.redhat.com/errata/RHSA-2024:3479
Comment 83 errata-xmlrpc 2024-06-05 14:43:50 UTC 
This issue has been addressed in the following products:

  OCP-Tools-4.13-RHEL-8

Via RHSA-2024:3636 https://access.redhat.com/errata/RHSA-2024:3636
Comment 84 errata-xmlrpc 2024-06-05 14:44:24 UTC 
This issue has been addressed in the following products:

  OCP-Tools-4.14-RHEL-8

Via RHSA-2024:3634 https://access.redhat.com/errata/RHSA-2024:3634
Comment 85 errata-xmlrpc 2024-06-05 14:44:58 UTC 
This issue has been addressed in the following products:

  OCP-Tools-4.12-RHEL-8

Via RHSA-2024:3635 https://access.redhat.com/errata/RHSA-2024:3635
Comment 95 errata-xmlrpc 2024-06-19 15:00:16 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:3918 https://access.redhat.com/errata/RHSA-2024:3918
Comment 96 rdomingo 2024-06-20 07:12:44 UTC 
Hi Team - I spun up an ARO cluster version 4.15.17 and see that this chacha20-poly1305 is still being seen. As per https://access.redhat.com/errata/RHSA-2024:3918 and https://access.redhat.com/errata/RHSA-2023:7198 should have mitigated the cipher. Please advise.

➜  ~ oc get clusterversion
NAME      VERSION   AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.15.17   True        False         11m     Cluster version is 4.15.17

➜  ~ oc get nodes
NAME                                            STATUS   ROLES                  AGE     VERSION
rodtestcluster-vlwj6-worker-westeurope1-w86dv   Ready    worker                 3h18m   v1.28.10+a2c84a5

➜  ~ oc debug node/rodtestcluster-vlwj6-worker-westeurope1-w86dv
Starting pod/rodtestcluster-vlwj6-worker-westeurope1-w86dv-debug ...
To use host binaries, run `chroot /host`
Pod IP: 10.0.2.5
If you don't see a command prompt, try pressing enter.
sh-4.4# chroot /host
sh-5.1# sshd -T|grep -i cipher
main: sshd: ssh-rsa algorithm is disabled
ciphers aes256-gcm,chacha20-poly1305,aes256-ctr,aes128-gcm,aes128-ctr
Comment 97 errata-xmlrpc 2024-06-26 02:06:13 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:4010 https://access.redhat.com/errata/RHSA-2024:4010
Comment 101 errata-xmlrpc 2024-06-27 10:52:26 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.16

Via RHSA-2024:0040 https://access.redhat.com/errata/RHSA-2024:0040
Comment 102 errata-xmlrpc 2024-06-27 11:23:13 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.16

Via RHSA-2024:0041 https://access.redhat.com/errata/RHSA-2024:0041
Comment 103 errata-xmlrpc 2024-07-02 19:32:47 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2024:4151 https://access.redhat.com/errata/RHSA-2024:4151
Comment 104 errata-xmlrpc 2024-07-11 11:54:28 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:4329 https://access.redhat.com/errata/RHSA-2024:4329
Comment 105 errata-xmlrpc 2024-07-17 00:38:30 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:4479 https://access.redhat.com/errata/RHSA-2024:4479
Comment 106 errata-xmlrpc 2024-07-17 01:36:44 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2024:4484 https://access.redhat.com/errata/RHSA-2024:4484
Comment 107 errata-xmlrpc 2024-07-17 18:46:56 UTC 
This issue has been addressed in the following products:

  OCP-Tools-4.15-RHEL-8

Via RHSA-2024:4597 https://access.redhat.com/errata/RHSA-2024:4597
Comment 108 errata-xmlrpc 2024-07-18 19:25:26 UTC 
This issue has been addressed in the following products:

  RHEL-9-CNV-4.15

Via RHSA-2024:4662 https://access.redhat.com/errata/RHSA-2024:4662
Comment 110 errata-xmlrpc 2024-07-24 18:53:16 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.16

Via RHSA-2024:4613 https://access.redhat.com/errata/RHSA-2024:4613
Comment 111 errata-xmlrpc 2024-08-07 01:16:35 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2024:4955 https://access.redhat.com/errata/RHSA-2024:4955
Comment 112 errata-xmlrpc 2024-08-07 10:18:57 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:4959 https://access.redhat.com/errata/RHSA-2024:4959
Comment 113 errata-xmlrpc 2024-08-07 10:51:54 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:4960 https://access.redhat.com/errata/RHSA-2024:4960
Comment 115 errata-xmlrpc 2024-08-19 05:40:54 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2024:5200 https://access.redhat.com/errata/RHSA-2024:5200
Comment 116 errata-xmlrpc 2024-08-21 03:37:05 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2024:5438 https://access.redhat.com/errata/RHSA-2024:5438
Comment 117 errata-xmlrpc 2024-08-21 21:42:56 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:5432 https://access.redhat.com/errata/RHSA-2024:5432
Comment 118 errata-xmlrpc 2024-08-22 11:41:52 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:5433 https://access.redhat.com/errata/RHSA-2024:5433
Comment 119 errata-xmlrpc 2024-09-11 18:34:17 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:6406 https://access.redhat.com/errata/RHSA-2024:6406
Comment 120 errata-xmlrpc 2024-10-01 17:30:08 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.17

Via RHSA-2024:3718 https://access.redhat.com/errata/RHSA-2024:3718
Comment 121 errata-xmlrpc 2024-10-23 13:15:12 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:8235 https://access.redhat.com/errata/RHSA-2024:8235
Note You need to log in before you can comment on or make changes to this bug.